Check for *.eml files on your IIS boxes, we got them everywhere...and our
virus software is not picking anything up at all...
-----Original Message-----
From: Rich Wild [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:37 AM
To: CF-Talk
Subject: RE: Code Red backdoor triggered?
even we're getting hammered with syn flood attacks.
Rich Wild
> -----Original Message-----
> From: Dave Watts [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2001 15:52
> To: CF-Talk
> Subject: FW: Code Red backdoor triggered?
>
>
> It seems there may be some unusual network activity today
> worth noting.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> voice: (202) 797-5496
> fax: (202) 797-5444
>
>
> -----Original Message-----
> From: Dave Watts [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 18 September, 2001 10:49
> To: [EMAIL PROTECTED]
> Subject: RE: Code Red backdoor triggered?
>
>
> > Heads up. Pay attention to your servers today. I just
> > started detecting a *ton* of these requests. I think it's
> > a follow-up worm programmed to take advantage of the
> > backdoors Code Red dropped on infected computers. Maybe a
> > Code Red III?
> >
> > -Cameron
> >
> > [09/18/2001 09:25:55.136 GMT-0400] Connection:
> > dhcp181.onewebsystems.com
> > (130.205.102.181) on port 80 (tcp).
> > [09/18/2001 09:25:55.166 GMT-0400] GET
> > /scripts/root.exe?/c+dir HTTP/1.0
> > Host: www
> > Connnection: close
>
> After a more careful reading, I don't think this is an attack
> at all. I
> think it's worse than an attack.
>
> The GET request doesn't do anything except run the DOS dir
> command using the
> command processor. But, if a server responds with an HTTP 200
> status code,
> this indicates that the server is vulnerable to running
> cmd.exe through the
> web server.
>
> So, my guess is that this is a vulnerability scan. Once a
> list of vulnerable
> servers is compiled, a real attack would take much less time
> than a Code
> Red-style attack, since you could build the list of
> vulnerable servers into
> the attack code!
>
> This idea has been discussed a bit in the last month or so -
> it's called a
> "Warhol" worm, the idea being that an attack might cover the mass of
> vulnerable machines in fifteen minutes. Here's a URL to the article:
>
> http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724
5&mode=nocomme
nt&threshold=
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
----------------------------------------------------------------------------
----
Control your subscriptions to ACFUG lists via the ACFUG website at
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
