>>We have temporarily renamed cmd.exe
will that potential have any side effects? Guess I'll find out.
Eric Dawson
From: "Larry Juncker" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: CF-Talk <[EMAIL PROTECTED]>
Subject: RE: Code Red backdoor triggered?
Date: Tue, 18 Sep 2001 11:12:22 -0500
We are having the same thing happen. From looking at the IIS logs, this worm
or whatever is using cmd.exe.
We have temporarily renamed cmd.exe in the system32 folder of NT until we
can ths caught and under control.
Larry Juncker
Senior Cold Fusion Developer
Heartland Communications Group, Inc.
[EMAIL PROTECTED]
-----Original Message-----
From: Rich Wild [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:58 AM
To: CF-Talk
Subject: RE: Code Red backdoor triggered?
> Can you tell us Rich if it is impacting the servers ??
nah - filling up firewall but nothing else.
Are you
> patched, and does this thing use something new or is it the same
> exploit as before...
Yeah - we're patched
dunno - we never got hit before.
> -----Original Message-----
> From: Paris Lundis [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2001 16:03
> To: CF-Talk
> Subject: RE: Code Red backdoor triggered?
>
>
> Uggh! not the code-red variations again...
>
> Can you tell us Rich if it is impacting the servers ?? Are you
> patched, and does this thing use something new or is it the same
> exploit as before...
>
> Seems like it is becoming a net-30 terror :)
>
> -paris
> [finding the future in the past, passing the future in the present]
> [connecting people, places and things]
>
>
> -----Original Message-----
> From: Rich Wild <[EMAIL PROTECTED]>
> Date: Tue, 18 Sep 2001 15:37:13 +0100
> Subject: RE: Code Red backdoor triggered?
>
> > even we're getting hammered with syn flood attacks.
> >
> > Rich Wild
> >
> > > -----Original Message-----
> > > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > > Sent: 18 September 2001 15:52
> > > To: CF-Talk
> > > Subject: FW: Code Red backdoor triggered?
> > >
> > >
> > > It seems there may be some unusual network activity today
> > > worth noting.
> > >
> > > Dave Watts, CTO, Fig Leaf Software
> > > http://www.figleaf.com/
> > > voice: (202) 797-5496
> > > fax: (202) 797-5444
> > >
> > >
> > > -----Original Message-----
> > > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, 18 September, 2001 10:49
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: Code Red backdoor triggered?
> > >
> > >
> > > > Heads up. Pay attention to your servers today. I just
> > > > started detecting a *ton* of these requests. I think it's
> > > > a follow-up worm programmed to take advantage of the
> > > > backdoors Code Red dropped on infected computers. Maybe a
> > > > Code Red III?
> > > >
> > > > -Cameron
> > > >
> > > > [09/18/2001 09:25:55.136 GMT-0400] Connection:
> > > > dhcp181.onewebsystems.com
> > > > (130.205.102.181) on port 80 (tcp).
> > > > [09/18/2001 09:25:55.166 GMT-0400] GET
> > > > /scripts/root.exe?/c+dir HTTP/1.0
> > > > Host: www
> > > > Connnection: close
> > >
> > > After a more careful reading, I don't think this is an attack
> > > at all. I
> > > think it's worse than an attack.
> > >
> > > The GET request doesn't do anything except run the DOS dir
> > > command using the
> > > command processor. But, if a server responds with an HTTP 200
> > > status code,
> > > this indicates that the server is vulnerable to running
> > > cmd.exe through the
> > > web server.
> > >
> > > So, my guess is that this is a vulnerability scan. Once a
> > > list of vulnerable
> > > servers is compiled, a real attack would take much less time
> > > than a Code
> > > Red-style attack, since you could build the list of
> > > vulnerable servers into
> > > the attack code!
> > >
> > > This idea has been discussed a bit in the last month or so -
> > > it's called a
> > > "Warhol" worm, the idea being that an attack might cover the mass
> > of
> > > vulnerable machines in fifteen minutes. Here's a URL to the
> > article:
> > >
> > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724
> > 5&mode=nocomme
> > nt&threshold=
> >
> > Dave Watts, CTO, Fig Leaf Software
> > http://www.figleaf.com/
> > voice: (202) 797-5496
> > fax: (202) 797-5444
> >
> ---------------------------------------------------------------------
> > -------
> > ----
> > Control your subscriptions to ACFUG lists via the ACFUG website at
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
