Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: incrediBILL
edited to wrap the text
(edited by: msgraph at 7:14 pm (gmt) on July 19, 2001
Instead of this
"GET /default.ida?NNN....%u0000%u00=a HTTP/1.0"
I receive this
"GET / default.ida?NNN....%u0000%u00=a"
The "default.ida?NNNNN..." stuff is sent as the *protocol* not the page requested. Server logs report,
[Thu Jul 19 13:57:34 2001] [error] [client 184.108.40.206] Client sent malformed Host header
On another note, I just received the Sircam virus in an email this morning, so be on the lookout. Sircam distributes personal files from your computer to infect others.
More about it at the CNN link mentioned in an earlier post on this thread.
joined:Sept 1, 2000
For Immediate Release: 3:00 PM EDT July 29, 2001
A Very Real and Present Threat to the Internet: July 31 Deadline For Action
Summary: The Code Red Worm and mutations of the worm pose a continued
and serious threat to Internet users. Immediate action is required to
combat this threat. Users who have deployed software that is
vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must
install, if they have not done so already, a vital security patch.
How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000 systems in
just 9 hours. The worm scans the Internet, identifies vulnerable
systems, and infects these systems by installing itself. Each newly
installed worm joins all the others causing the rate of scanning to
grow rapidly. This uncontrolled growth in scanning directly decreases
the speed of the Internet and can cause sporadic but widespread
outages among all types of systems. Code Red is likely to start
spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that
it may be even more dangerous. This spread has the potential to
disrupt business and personal use of the Internet for applications
such as electronic commerce, email and entertainment.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000
systems AND the IIS web server software may be vulnerable. IIS is
installed automatically for many applications. If you are not certain,
follow the instructions attached to determine whether you are running
IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows
Me, there is no action that you need to take in response to this
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection: Install Microsoft?s patch for
the Code Red vulnerability problem:
* Windows NT version 4.0:
* Windows 2000 Professional, Server and Advanced Server:
Step-by-step instructions for these actions are posted at
Microsoft's description of the patch and its installation, and the
vulnerability it addresses is posted at:
Because of the importance of this threat, this alert is being made
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
Internet Security Systems
Internet Security Alliance
joined:Sept 1, 2000
Read the part that says...
>..spreading again on July 31st, 2001 8:00 PM EDT ....>
I believe the advisory was re-released recently since the Code Red worm has the potential to restart itself tomorrow evening. Because it's obvious many admins are not updating their systems with the latest patches/security fixes, it's a good idea to get this sort of information out as far as possible.
I wonder if certain ISP's out there see these bulk security mailings from MS as spam attempts and therefore block them after a certain amount is sent. Like if they receive more than x amount of mailings at one time on their server then they block the rest until another time. Either that or MS's subscription list gets wiped clean from time to time
I mean I'm sure only 10%, if that many, of those running MS software know about these bulletins but that is beside the point.
Another thing is MS's Windows update application. The one that sends info to MS to check for any updates related to your OS. They release a patch on their security site on one date, then three or more months down the road they post it on their Win update site.
Just so long as McAfee doesn't catch wind of it.... ;)
Somehow, I doubt the beast currently exists, as it hasn't hit the radars of...errr...well, any place I've searched, including BugTraq and McAfee (the guys who claim to have found the original "Bliss" first.)
I'd wonder where you heard it from. I'd chalk it up to hoax or wishful thinking. ;)
The message, if any, that this and other worms delivers is that there needs to be a standard way to contact system admins and anybody who runs a web server and provides no way for you to contact them should be metered out some form of disciplinary action, like a $1 fine to get their attention.
Yes, my grammar is suffering. It's late and I've just finished digesting my webserver logs!