IIS SEARCH worm – Seen on IRC | Notes In The Margin

<Curtman> Whats all this “SEARCH /x90x02xb1 …” stuff going on lately? New worm, or just script kiddies?
<DrBacchus> Curtman: It’s a worm. Couple months old.
<DrBacchus> fajita: SEARCH?
<fajita> rumour has it SEARCH is not a valid HTTP method, so disabling it becomes difficult. or https://drbacchus.com/recipes/SEARCH2.txt
<DrBacchus> Curtman: What fajita said.
<Curtman> DrBacchus: Yikes. It’s getting more and more frequent it seems. I’ve got 26 of them in the past 24 hours.
<DrBacchus> Curtman: It comes and goes. Depends on the concentration of IIS machines in your part of the IP-space.
<Curtman> DrBacchus: But its safe to assume they are coming from compromised boxen right? I’ve been trying to alert them as they come in.
<DrBacchus> Curtman: Yes, that is coming from a compromised IIS.
<DrBacchus> Curtman: I had an automated notification thingy going for a while. A hacked-upon version of Apache::CodeRed
<Curtman> DrBacchus: I’ve just been using smbclient to connect to them, and printing a warning on their printers. 😉

Yikes.

The Margin Is Too Narrow