yep that's the one...
-----Original Message-----
From: Kola Oyedeji [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:01 PM
To: CF-Talk
Subject: RE: Code Red backdoor triggered?
This may or may not be relevant but i've just deleted an email from someone
i dont know which I'm sure had a virus attached. It has a exe. file
attached called readme.exe. I recieved a virus warning and jsut deleted it!
Kola Oyedeji
Web developer
Macromedia Certified Advanced ColdFusion 5 Developer
http://www.Alexandermark.com
(+44)020-8429-7300
> -----Original Message-----
> From: Rich Wild [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2001 15:58
> To: CF-Talk
> Subject: RE: Code Red backdoor triggered?
>
>
> > Can you tell us Rich if it is impacting the servers ??
>
> nah - filling up firewall but nothing else.
>
> Are you
> > patched, and does this thing use something new or is it the same
> > exploit as before...
>
> Yeah - we're patched
>
> dunno - we never got hit before.
>
> > -----Original Message-----
> > From: Paris Lundis [mailto:[EMAIL PROTECTED]]
> > Sent: 18 September 2001 16:03
> > To: CF-Talk
> > Subject: RE: Code Red backdoor triggered?
> >
> >
> > Uggh! not the code-red variations again...
> >
> > Can you tell us Rich if it is impacting the servers ?? Are you
> > patched, and does this thing use something new or is it the same
> > exploit as before...
> >
> > Seems like it is becoming a net-30 terror :)
> >
> > -paris
> > [finding the future in the past, passing the future in the present]
> > [connecting people, places and things]
> >
> >
> > -----Original Message-----
> > From: Rich Wild <[EMAIL PROTECTED]>
> > Date: Tue, 18 Sep 2001 15:37:13 +0100
> > Subject: RE: Code Red backdoor triggered?
> >
> > > even we're getting hammered with syn flood attacks.
> > >
> > > Rich Wild
> > >
> > > > -----Original Message-----
> > > > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > > > Sent: 18 September 2001 15:52
> > > > To: CF-Talk
> > > > Subject: FW: Code Red backdoor triggered?
> > > >
> > > >
> > > > It seems there may be some unusual network activity today
> > > > worth noting.
> > > >
> > > > Dave Watts, CTO, Fig Leaf Software
> > > > http://www.figleaf.com/
> > > > voice: (202) 797-5496
> > > > fax: (202) 797-5444
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > > > Sent: Tuesday, 18 September, 2001 10:49
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: Code Red backdoor triggered?
> > > >
> > > >
> > > > > Heads up. Pay attention to your servers today. I just
> > > > > started detecting a *ton* of these requests. I think it's
> > > > > a follow-up worm programmed to take advantage of the
> > > > > backdoors Code Red dropped on infected computers. Maybe a
> > > > > Code Red III?
> > > > >
> > > > > -Cameron
> > > > >
> > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection:
> > > > > dhcp181.onewebsystems.com
> > > > > (130.205.102.181) on port 80 (tcp).
> > > > > [09/18/2001 09:25:55.166 GMT-0400] GET
> > > > > /scripts/root.exe?/c+dir HTTP/1.0
> > > > > Host: www
> > > > > Connnection: close
> > > >
> > > > After a more careful reading, I don't think this is an attack
> > > > at all. I
> > > > think it's worse than an attack.
> > > >
> > > > The GET request doesn't do anything except run the DOS dir
> > > > command using the
> > > > command processor. But, if a server responds with an HTTP 200
> > > > status code,
> > > > this indicates that the server is vulnerable to running
> > > > cmd.exe through the
> > > > web server.
> > > >
> > > > So, my guess is that this is a vulnerability scan. Once a
> > > > list of vulnerable
> > > > servers is compiled, a real attack would take much less time
> > > > than a Code
> > > > Red-style attack, since you could build the list of
> > > > vulnerable servers into
> > > > the attack code!
> > > >
> > > > This idea has been discussed a bit in the last month or so -
> > > > it's called a
> > > > "Warhol" worm, the idea being that an attack might
> cover the mass
> > > of
> > > > vulnerable machines in fifteen minutes. Here's a URL to the
> > > article:
> > > >
> > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724
> > > 5&mode=nocomme
> > > nt&threshold=
> > >
> > > Dave Watts, CTO, Fig Leaf Software
> > > http://www.figleaf.com/
> > > voice: (202) 797-5496
> > > fax: (202) 797-5444
> > >
> >
> ---------------------------------------------------------------------
> > > -------
> > > ----
> > > Control your subscriptions to ACFUG lists via the ACFUG website at
> > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
