Kevin Vance - Been reading about that worm that's going around on slashdot, and…

Entries | Archive | Friends | Friends' Friends | User Info

11:46 pm

Thursday, July 19th, 2001
Previous Entry Share Next Entry
Been reading about that worm that's going around on slashdot, and someone mentions that it sends a bunch of NNN characters over http to test for a buffer overflow. I've had 16 of these probes today, apparently. Scary how many boxes are going unsecured...
Link )Reply )

[User Picture]From: dormando
2001-07-19 08:48 pm (UTC)
Yeah, you missed all of the fun on friday the 13th when it started going off. That was intimidating.
(Reply) (Thread)
[User Picture]From: teferi
2001-07-19 10:09 pm (UTC)
iris logged 21 attempts.
(Reply) (Thread)
[User Picture]From: pvx
2001-07-19 11:52 pm (UTC)
IIS really is disgusting. It's just been one worm after another, and there's no end to the number of exploitable boxen.

And now with code red, every script kiddy's access.log has everything you need to construct your own custom IIS worm in an afternoon, not to mention a nice list of vulnerable IPs. This isn't ending any time soon.
(Reply) (Thread)
[User Picture]From: pvx
2001-07-20 12:07 am (UTC)
And if you think your 16 is a lot, some people on bugtraq and kin have been claiming hits numbering from the thousands to the millions.

0300:002:0:~$ grep NNNN /var/log/apache/access.log |wc -l

Some of the Windows Update servers were hit and defaced. Fairly ironic :)
(Reply) (Thread)
[User Picture]From: kvance
2001-07-20 05:03 am (UTC)
Heh, wow.

From what I've heard, the worm is supposed to make a random list of IPs, but it uses the same seed each time, so people on the beginning of that list are really screwed.
(Reply) (Parent) (Thread)