<Curtman> Whats all this "SEARCH /x90x02xb1 ..." stuff going on lately? New worm, or just script kiddies? <DrBacchus> Curtman: It's a worm. Couple months old. <DrBacchus> fajita: SEARCH? <fajita> rumour has it SEARCH is not a valid HTTP method, so disabling it becomes difficult. or http://drbacchus.com/recipes/SEARCH2.txt <DrBacchus> Curtman: What fajita said. <Curtman> DrBacchus: Yikes. It's getting more and more frequent it seems. I've got 26 of them in the past 24 hours. <DrBacchus> Curtman: It comes and goes. Depends on the concentration of IIS machines in your part of the IP-space. <Curtman> DrBacchus: But its safe to assume they are coming from compromised boxen right? I've been trying to alert them as they come in. <DrBacchus> Curtman: Yes, that is coming from a compromised IIS. <DrBacchus> Curtman: I had an automated notification thingy going for a while. A hacked-upon version of Apache::CodeRed <Curtman> DrBacchus: I've just been using smbclient to connect to them, and printing a warning on their printers. ;)
Yikes.
0 Responses to IIS SEARCH worm - Seen on IRC
Leave a Reply