we're seeing a HUGE number of hits all containing :-
port=3641 probes and URL=/c/winnt/system32/cmd.exe attempts and guess where
they're coming from ?
the exact same machines that rountinly have been doing the code red thing .
Damn
Message -----
From: "Paris Lundis" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 8:02 AM
Subject: RE: Code Red backdoor triggered?
> Uggh! not the code-red variations again...
>
> Can you tell us Rich if it is impacting the servers ?? Are you
> patched, and does this thing use something new or is it the same
> exploit as before...
>
> Seems like it is becoming a net-30 terror :)
>
> -paris
> [finding the future in the past, passing the future in the present]
> [connecting people, places and things]
>
>
> -----Original Message-----
> From: Rich Wild <[EMAIL PROTECTED]>
> Date: Tue, 18 Sep 2001 15:37:13 +0100
> Subject: RE: Code Red backdoor triggered?
>
> > even we're getting hammered with syn flood attacks.
> >
> > Rich Wild
> >
> > > -----Original Message-----
> > > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > > Sent: 18 September 2001 15:52
> > > To: CF-Talk
> > > Subject: FW: Code Red backdoor triggered?
> > >
> > >
> > > It seems there may be some unusual network activity today
> > > worth noting.
> > >
> > > Dave Watts, CTO, Fig Leaf Software
> > > http://www.figleaf.com/
> > > voice: (202) 797-5496
> > > fax: (202) 797-5444
> > >
> > >
> > > -----Original Message-----
> > > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, 18 September, 2001 10:49
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: Code Red backdoor triggered?
> > >
> > >
> > > > Heads up. Pay attention to your servers today. I just
> > > > started detecting a *ton* of these requests. I think it's
> > > > a follow-up worm programmed to take advantage of the
> > > > backdoors Code Red dropped on infected computers. Maybe a
> > > > Code Red III?
> > > >
> > > > -Cameron
> > > >
> > > > [09/18/2001 09:25:55.136 GMT-0400] Connection:
> > > > dhcp181.onewebsystems.com
> > > > (130.205.102.181) on port 80 (tcp).
> > > > [09/18/2001 09:25:55.166 GMT-0400] GET
> > > > /scripts/root.exe?/c+dir HTTP/1.0
> > > > Host: www
> > > > Connnection: close
> > >
> > > After a more careful reading, I don't think this is an attack
> > > at all. I
> > > think it's worse than an attack.
> > >
> > > The GET request doesn't do anything except run the DOS dir
> > > command using the
> > > command processor. But, if a server responds with an HTTP 200
> > > status code,
> > > this indicates that the server is vulnerable to running
> > > cmd.exe through the
> > > web server.
> > >
> > > So, my guess is that this is a vulnerability scan. Once a
> > > list of vulnerable
> > > servers is compiled, a real attack would take much less time
> > > than a Code
> > > Red-style attack, since you could build the list of
> > > vulnerable servers into
> > > the attack code!
> > >
> > > This idea has been discussed a bit in the last month or so -
> > > it's called a
> > > "Warhol" worm, the idea being that an attack might cover the mass
> > of
> > > vulnerable machines in fifteen minutes. Here's a URL to the
> > article:
> > >
> > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724
> > 5&mode=nocomme
> > nt&threshold=
> >
> > Dave Watts, CTO, Fig Leaf Software
> > http://www.figleaf.com/
> > voice: (202) 797-5496
> > fax: (202) 797-5444
> > ---------------------------------------------------------------------
> > -------
> > ----
> > Control your subscriptions to ACFUG lists via the ACFUG website at
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
