we have loads of *.eml files, but they're just bad emails from the
mailspool, nothing to worry about.
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2001 17:02
> To: CF-Talk
> Subject: RE: Code Red backdoor triggered?
>
>
> Check for *.eml files on your IIS boxes, we got them
> everywhere...and our
> virus software is not picking anything up at all...
>
>
>
> -----Original Message-----
> From: Rich Wild [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 9:37 AM
> To: CF-Talk
> Subject: RE: Code Red backdoor triggered?
>
>
> even we're getting hammered with syn flood attacks.
>
> Rich Wild
>
> > -----Original Message-----
> > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > Sent: 18 September 2001 15:52
> > To: CF-Talk
> > Subject: FW: Code Red backdoor triggered?
> >
> >
> > It seems there may be some unusual network activity today
> > worth noting.
> >
> > Dave Watts, CTO, Fig Leaf Software
> > http://www.figleaf.com/
> > voice: (202) 797-5496
> > fax: (202) 797-5444
> >
> >
> > -----Original Message-----
> > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, 18 September, 2001 10:49
> > To: [EMAIL PROTECTED]
> > Subject: RE: Code Red backdoor triggered?
> >
> >
> > > Heads up. Pay attention to your servers today. I just
> > > started detecting a *ton* of these requests. I think it's
> > > a follow-up worm programmed to take advantage of the
> > > backdoors Code Red dropped on infected computers. Maybe a
> > > Code Red III?
> > >
> > > -Cameron
> > >
> > > [09/18/2001 09:25:55.136 GMT-0400] Connection:
> > > dhcp181.onewebsystems.com
> > > (130.205.102.181) on port 80 (tcp).
> > > [09/18/2001 09:25:55.166 GMT-0400] GET
> > > /scripts/root.exe?/c+dir HTTP/1.0
> > > Host: www
> > > Connnection: close
> >
> > After a more careful reading, I don't think this is an attack
> > at all. I
> > think it's worse than an attack.
> >
> > The GET request doesn't do anything except run the DOS dir
> > command using the
> > command processor. But, if a server responds with an HTTP 200
> > status code,
> > this indicates that the server is vulnerable to running
> > cmd.exe through the
> > web server.
> >
> > So, my guess is that this is a vulnerability scan. Once a
> > list of vulnerable
> > servers is compiled, a real attack would take much less time
> > than a Code
> > Red-style attack, since you could build the list of
> > vulnerable servers into
> > the attack code!
> >
> > This idea has been discussed a bit in the last month or so -
> > it's called a
> > "Warhol" worm, the idea being that an attack might cover the mass of
> > vulnerable machines in fifteen minutes. Here's a URL to the article:
> >
> > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724
> 5&mode=nocomme
> nt&threshold=
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> voice: (202) 797-5496
> fax: (202) 797-5444
> --------------------------------------------------------------
> --------------
> ----
> Control your subscriptions to ACFUG lists via the ACFUG website at
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
