[NTLUG:Discuss] Next IIS Virus engaged...it's fast and spreading.
David Camm
bbai at onramp.net
Tue Sep 18 23:18:55 CDT 2001
and in the last hour, i've discovered that there are at lesat 20 servers
on verio-owned networks
(where i have my colo'd boxes) that are already infected. verio told me
a few minutes ago that they're already experiencing routing problems
because of the traffic.
are we having fun yet?
is 'nimda' an encrypted version of 'bin laden'? <VBG>
david camm
advanced web systems
asenec at senechalle.net wrote:
>
> We're firewalling against the entire C to which
> a scanning ipaddress belongs--this thing has caused
> an 80% packet loss on our T3's and made our servers
> virtually inaccessible.
>
> Annette
>
> > From discuss-admin at ntlug.org Tue Sep 18 21:48 CDT 2001
> > From: kbrannen at gte.net
> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20010913
> > X-Accept-Language: en-us
> > MIME-Version: 1.0
> > To: discuss at ntlug.org
> > Subject: Re: [NTLUG:Discuss] Next IIS Virus engaged...it's fast and spreading.
> > Content-Transfer-Encoding: 7bit
> > X-BeenThere: discuss at ntlug.org
> > X-Mailman-Version: 2.0.3
> > List-Help: <mailto:discuss-request at ntlug.org?subject=help>
> > List-Post: <mailto:discuss at ntlug.org>
> > List-Subscribe: <http://www.ntlug.org/mailman/listinfo/discuss>,
> > <mailto:discuss-request at ntlug.org?subject=subscribe>
> > List-Id: NTLUG Discussion List <discuss.ntlug.org>
> > List-Unsubscribe: <http://www.ntlug.org/mailman/listinfo/discuss>,
> > <mailto:discuss-request at ntlug.org?subject=unsubscribe>
> > List-Archive: <http://www.ntlug.org/pipermail/discuss/>
> > Date: Tue, 18 Sep 2001 16:35:38 -0500
> >
> > FYI, this does affect Apache on Linux machines, slightly. I noticed in my
> > Apache logs this afternoon a number of "GET .../cmd.exe" (it's signature)
> > followed by "httpd ... SIGTERM". So whatever it's doing, it can cause the
> > children httpd process to die. The parent is unaffect and forks another
> > child, so the end results is merely performance degradation, but there is an
> > affect on Linux boxes. BTW, this is with Apache 1.3.12. I may try to upgrade
> > one of our boxes tomorrow to 1.3.20 and see if that changes anything.
> >
> > While I had no serious thoughts about doing anything to the boxes that tried
> > to hit us because of the Code Red virus, I truely am comptemplating sending
> > email to "administrator" on each of the infected boxes I see from outside our
> > LAN telling them they're infected, and maybe nicely tell them they would not
> > have this problem if they ran Linux. :-)
> >
> > Kevin
> >
> >
> > Jack Snodgrass wrote:
> >
> > > Thanks for the heads up.... yesterday and the day before I had about
> > > 500 hits each to my error_log on my apache/linux box. So far today, (13
> > > hours into the day ) over 36,000 hits to the error_log. This virus is
> > > burning up a log of cycles/network traffic.
> > >
> > > jack
> > >
> > > ----- Original Message -----
> > > From: "Chris Cox" <cjcox at acm.org>
> > > To: <discuss at ntlug.org>
> > > Sent: Tuesday, September 18, 2001 12:04 PM
> > > Subject: [NTLUG:Discuss] Next IIS Virus engaged...it's fast and spreading.
> > >
> > >
> > >>Apparently spreads (so I'm told) through IE (not IIS), but infects
> > >>the IIS servers contacted by the browser (ick)... they in turn
> > >>infect their web pages and propagate the spread... (I can't
> > >>confirm all of this right now... I do know that I've seen
> > >>over 95 hosts infected today here... we're doing a full
> > >>port 80 shutdown).
> > >>
> > >>Be warned!
> >
> >
> >
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
More information about the Discuss
mailing list