It's a new worm using the same infection vector. It is a lot more aggressive, and uses the fact that machines near to itself are likely to be good places to find crackable machines. If you have a lot of customers with cracked NT boxes you'll get a lot of scans. If you have a nice C space in the middle of nowhere with no windows machines anywhere near, you might have a rather boring night.
Hey, and it leaves a cool backdoor floating about. Look for recent infectors and telnet to them like such:
Well, I wasn't going to be so blatently obvious about it :) <shnip>
Cool :)
Heh, lotsa fun ;)
Start grepping those proxy logs people for lusers attempting to do this
Hrm, good point.
(it won't work via a proxy anyhow, but that's no reason not to hunt down the offending luser and beat them senseless).
You can. Although I'm not going to give out explicit instructions how on a public mailing list :P So if you have a proxy between you and the internet it's not going to save you from people playing with your recently backdoored IIS server. -- It's all in the mind, ya know. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog