RE: Code Red backdoor triggered?
On 9/21/01, Ken Wilson penned: > > I heard O'Reilly was being discontinued. > > >http://www.deerfield.com/products/website/ Oh, cool! Deerfield seems to be a decent company. I use Serv-U, which they developed sold to CatSoft. -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
On 9/21/01, Gary P. McNeel, Jr. penned: >I heard O'Reilly was being discontinued. We have used it for years but it >has hit a point where there was no development for a year or longer. They have quit development, but it's still available and supported. Version 3 came out at the beginning of this year and lets you run the latest version of ASP with Chili!Soft ASP. But that doesn't matter to me anyway as I have no desire to run ASP. > No new >stuff added or fixes. None needed. :) -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
I made the same suggestion earlier, just for Apache rather than Website. I've never used IIS, ever. Used to use Netscape's server before Apache was solid on win32... > One thing I'm eternally grateful for is the advice to go with > O'Reilly's Web Site and disable IIS. I've certainly gotten my 900 > bucks worth in sleepful nights and time not spent cleaning up all > this crap and would heartily recommend anyone that's not already > dependent upon those programs to spend the money. IIS and FP > Extensions will never run on a server of mine. The only MS programs > running on my servers are NT/2000, Internet Exploder, SQL Server and > Access 2000. I sit here and read all this crap and just grin. Not at > y'all, but at my wise decision to spend a little now rather than > continuously. > -- > > Bud Schneehagen - Tropical Web Creations > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > ColdFusion Solutions / eCommerce Development > [EMAIL PROTECTED] > http://www.twcreations.com/ > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
> Out of curiosity what elements do your applications require > of IIS that ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
> I heard O'Reilly was being discontinued. http://www.deerfield.com/products/website/ ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
I heard O'Reilly was being discontinued. We have used it for years but it has hit a point where there was no development for a year or longer. No new stuff added or fixes. Regards, Gary P. McNeel, Jr. Executive Director - DAC-Net Rice University 713-348-6266 dacnet.rice.edu > -Original Message- > From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 21, 2001 10:13 AM > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > Out of curiosity what elements do your applications require of IIS that > O'Reilly may or may not have? It just that I'm looking at O'Reilly as an > alternative. > > Cheers > > Kola Oyedeji > Web developer > Macromedia Certified Advanced ColdFusion 5 Developer > http://www.Alexandermark.com > (+44)020-8429-7300 > > > > -Original Message- > > From: Bud [mailto:[EMAIL PROTECTED]] > > Sent: 21 September 2001 15:55 > > To: CF-Talk > > Subject: RE: Code Red backdoor triggered? > > > > > > On 9/21/01, [EMAIL PROTECTED] penned: > > >Some of us are hosting applications that require IIS. > > > > That's why I added the blurb that I'd recommend O'Reilly to anyone > > that's not already > > dependent upon IIS or FP. I for one would rather turn down some > > customers than put them and myself through the headaches. :) > > > > > Properly configured > > >servers don't have these problems, do they, Dave? Any word > > on the class? > > > > > > Well sure, that's easy to say, but I for one don't have time to go > > mucking through thousands of security bulletins on MS site trying to > > keep my server "properly configured". I can spend the time I save > > making money and paying for decent software. My opinion is that the > > first step in properly configuring a web server is disabling IIS. LOL > > -- > > > > Bud Schneehagen - Tropical Web Creations > > > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > > ColdFusion Solutions / eCommerce Development > > [EMAIL PROTECTED] > > http://www.twcreations.com/ > > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Out of curiosity what elements do your applications require of IIS that O'Reilly may or may not have? It just that I'm looking at O'Reilly as an alternative. Cheers Kola Oyedeji Web developer Macromedia Certified Advanced ColdFusion 5 Developer http://www.Alexandermark.com (+44)020-8429-7300 > -Original Message- > From: Bud [mailto:[EMAIL PROTECTED]] > Sent: 21 September 2001 15:55 > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > On 9/21/01, [EMAIL PROTECTED] penned: > >Some of us are hosting applications that require IIS. > > That's why I added the blurb that I'd recommend O'Reilly to anyone > that's not already > dependent upon IIS or FP. I for one would rather turn down some > customers than put them and myself through the headaches. :) > > > Properly configured > >servers don't have these problems, do they, Dave? Any word > on the class? > > > Well sure, that's easy to say, but I for one don't have time to go > mucking through thousands of security bulletins on MS site trying to > keep my server "properly configured". I can spend the time I save > making money and paying for decent software. My opinion is that the > first step in properly configuring a web server is disabling IIS. LOL > -- > > Bud Schneehagen - Tropical Web Creations > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > ColdFusion Solutions / eCommerce Development > [EMAIL PROTECTED] > http://www.twcreations.com/ > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Code Red backdoor triggered?
If you clicked on the html page in Explorer (Windows NOT IE) it brings up that little preview in the left side of the window, this running the page and infecting the server. Sucks doesn't it? Just have to run NAV, and run the latest IE with all the patches. Neil - Original Message - From: "Bud" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, September 21, 2001 11:04 AM Subject: Re: Code Red backdoor triggered? > On 9/21/01, tom muck penned: > >Unfortunately, this virus can hit you just as easily. It also comes by > >email > > I don't open e-mail on my servers. > > > and by opening up a page in an infected site, > > I don't surf the web from my servers. > > > and also by accessing > >shared drives in a network. > > Only if the virus is on one of the computers in the network. > > > In all, I think it comes in 16 different ways. > >It's been called a cocktail of viruses. > > Well, I've been lucky so far. I'm curious as to what the 16 ways are. > Got a URL? > -- > > Bud Schneehagen - Tropical Web Creations > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > ColdFusion Solutions / eCommerce Development > [EMAIL PROTECTED] > http://www.twcreations.com/ > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Code Red backdoor triggered?
On 9/21/01, tom muck penned: >Unfortunately, this virus can hit you just as easily. It also comes by >email I don't open e-mail on my servers. > and by opening up a page in an infected site, I don't surf the web from my servers. > and also by accessing >shared drives in a network. Only if the virus is on one of the computers in the network. > In all, I think it comes in 16 different ways. >It's been called a cocktail of viruses. Well, I've been lucky so far. I'm curious as to what the 16 ways are. Got a URL? -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Code Red backdoor triggered?
Nimda can infect through shares. One of our internal development website (no outside access allowed per firewall rules) was hit through a D: drive share. It had us puzzled as well. It was patched and had no firewall access. I'm still piecing it together, but this is what I believe happened. A 'weak' public web server was online and part of our domain. It was not patched for the directory traversal exploit. It was infected with NIMDA. Someone later logged into that particular machine with domain admin rights. The virus then propagated to all shares on the network which allowed domain rights. Moral of the story for our group: don't trust any machines for which we are not specifically responsible. I think the patch is from Dec' 2000, although the 'cumulative' patch from Aug 2001 includes it. Eh, go figure. A couple of good practices helped isolate the damage. The OS is parked on C: which is not shared. All templates are on D:. As it turns out, we had a ton of .eml files littered throughout the D: drive, but no dll mods on C: nor none of the registry entries CERT listed. A simple restore on D: and a good packet sniffer is all we have done for now. And of course we stripped rights to the D: share down to the bone. There was a debate on this mailing list on partitioning/not partitioning. I'd chalk this up to a pretty hefty partitioning pro. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 21, 2001 6:37 AM > To: CF-Talk > Subject: RE: RE: Code Red backdoor triggered? > > > Our people who are supposed to be maintaining the server > swear all patches > were in place and we still got hit. Can you please tell me > exactly which > patch you are referring to? I don't manage the box, but I > sure as hell > suffer if no one else does, either. I would like to follow > up on this on > this end. Thanks! > > JoAnn A. Schlosser > > > > > This e-mail is intended solely for the person or entity > to which it > is addressed and may contain confidential and/or privileged > information. > Any review, dissemination, copying, printing or other use of > this e-mail by > persons or entities other than the addressee is prohibited. > If you have > received this e-mail in error, please contact the sender > immediately and > delete the material from any computer. > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
On 9/21/01, [EMAIL PROTECTED] penned: >Some of us are hosting applications that require IIS. That's why I added the blurb that I'd recommend O'Reilly to anyone that's not already dependent upon IIS or FP. I for one would rather turn down some customers than put them and myself through the headaches. :) > Properly configured >servers don't have these problems, do they, Dave? Any word on the class? Well sure, that's easy to say, but I for one don't have time to go mucking through thousands of security bulletins on MS site trying to keep my server "properly configured". I can spend the time I save making money and paying for decent software. My opinion is that the first step in properly configuring a web server is disabling IIS. LOL -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: RE: Code Red backdoor triggered?
The roll up patch that fixed Code Red was supposed to also apply to this one. This is the only way we could have not gotten infected because it was trying to use the same attack code red did on IIS.. Now if you got infected via an email or throguh viewing a webpage that had it, that was a virus scan issue. However webservers should have been protected from the code red patch from MS. I know it did not infect our server that was being attacked. Thanks, Robert [EMAIL PROTECTED] wrote: > Our people who are supposed to be maintaining the server swear all patches were in place and we still got hit. Can you please tell me exactly which patch you are referring to? I don't manage the box, but I sure as hell suffer if no one else does, either. I would like to follow up on this on this end. Thanks! JoAnn A. Schlosser This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender immediately and delete the material from any computer. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Code Red backdoor triggered?
Our people who are supposed to be maintaining the server swear all patches were in place and we still got hit. Can you please tell me exactly which patch you are referring to? I don't manage the box, but I sure as hell suffer if no one else does, either. I would like to follow up on this on this end. Thanks! JoAnn A. Schlosser This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender immediately and delete the material from any computer. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Code Red backdoor triggered?
Unfortunately, this virus can hit you just as easily. It also comes by email and by opening up a page in an infected site, and also by accessing shared drives in a network. In all, I think it comes in 16 different ways. It's been called a cocktail of viruses. tom "Bud" <[EMAIL PROTECTED]> wrote in message news:p04320400b7d0e42a79ed@[192.168.0.2]... > One thing I'm eternally grateful for is the advice to go with > O'Reilly's Web Site and disable IIS. I've certainly gotten my 900 > bucks worth in sleepful nights and time not spent cleaning up all > this crap and would heartily recommend anyone that's not already > dependent upon those programs to spend the money. IIS and FP > Extensions will never run on a server of mine. The only MS programs > running on my servers are NT/2000, Internet Exploder, SQL Server and > Access 2000. I sit here and read all this crap and just grin. Not at > y'all, but at my wise decision to spend a little now rather than > continuously. ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: Code Red backdoor triggered?
I had the patch and therefore was not infected by the worm this time. However it had another attack where it made DOS type gets against what Code Red would have left. It crippled our box for about 2 hours, but we found a fix that was not published anywhere, but seemed so obvious when we figured it out. Since this worm was attacking IP address that respond to port 80, there is only a couple of ways to keep the traffic from killing IIS. 1 -- is to filter the traffic which usually results in alot of work finding the right ACL combination for your router to filter packets with the correct stream or block ports which is not an option if you are serving webiste to the public. 2- the other way is to find a way for an IP Address to not respond to port 80 traffic, but still serve Web Pages on port 80. Sounds crazy but it can be done. All you need to do is bind a host header to the site based on the domain it serves. It killed the traffic and brought us back online. I know it works as I had recommended to someone else getting attacked and got the same amazing result. I had not seen it mentioned on the list so I thought I would throw it out there if someone else was still fighting the attack from outside. I would be happy to help further if people need it. Thanks for your time, Robert [EMAIL PROTECTED] wrote: > Some of us are hosting applications that require IIS. Properly configured servers don't have these problems, do they, Dave? Any word on the class? JoAnn A. Schlosser -Original Message- From: Bud [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 8:42 AM To: CF-Talk Subject: RE: Code Red backdoor triggered? One thing I'm eternally grateful for is the advice to go with O'Reilly's Web Site and disable IIS. I've certainly gotten my 900 bucks worth in sleepful nights and time not spent cleaning up all this crap and would heartily recommend anyone that's not already dependent upon those programs to spend the money. IIS and FP Extensions will never run on a server of mine. The only MS programs running on my servers are NT/2000, Internet Exploder, SQL Server and Access 2000. I sit here and read all this crap and just grin. Not at y'all, but at my wise decision to spend a little now rather than continuously. -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Some of us are hosting applications that require IIS. Properly configured servers don't have these problems, do they, Dave? Any word on the class? JoAnn A. Schlosser -Original Message- From: Bud [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 8:42 AM To: CF-Talk Subject: RE: Code Red backdoor triggered? One thing I'm eternally grateful for is the advice to go with O'Reilly's Web Site and disable IIS. I've certainly gotten my 900 bucks worth in sleepful nights and time not spent cleaning up all this crap and would heartily recommend anyone that's not already dependent upon those programs to spend the money. IIS and FP Extensions will never run on a server of mine. The only MS programs running on my servers are NT/2000, Internet Exploder, SQL Server and Access 2000. I sit here and read all this crap and just grin. Not at y'all, but at my wise decision to spend a little now rather than continuously. -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
One thing I'm eternally grateful for is the advice to go with O'Reilly's Web Site and disable IIS. I've certainly gotten my 900 bucks worth in sleepful nights and time not spent cleaning up all this crap and would heartily recommend anyone that's not already dependent upon those programs to spend the money. IIS and FP Extensions will never run on a server of mine. The only MS programs running on my servers are NT/2000, Internet Exploder, SQL Server and Access 2000. I sit here and read all this crap and just grin. Not at y'all, but at my wise decision to spend a little now rather than continuously. -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
We spent two days doing just that ourselves and were to rebuild (we own our server) this morning, but our ISP jumped in and took care of it literally out of the goodness of their hearts. They replaced all our exe files and we did an extended replace to get rid of the JavaScripts. The last bit of stuff from McAfee seems to be holding and we applied the new patch, so all seems stable now. We are looking at moving from NT4/IIS4 to Windows2000/IIS5 soon (we were going to do it with the rebuild) - how is IIS5 handling these viruses? JoAnn A. Schlosser Senior Consultant Association Management Software Grant Thornton LLP Washington, D. C. 703.837.4428 -Original Message- From: Maureen [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 8:42 PM To: CF-Talk Subject: RE: Code Red backdoor triggered? At 05:36 PM 9/20/01 JoAnn A. Schlosser wrote: >OK. We just found out that our backup tapes are infected, too. Has anyone >found a way to clean this without a total reinstall? I am in the process of >copying the site files themselves to clean separately. If I can avoid a >total tear-down and rebuild, I would be eternally grateful. I don't think it's possible. I've spend most of the last two days attempting to clean the servers to point where I am comfortable, but have finally reached the decision to request the data center to provision new servers, and just move files and databases that I can certify as virus free, which will probably take less time than rebuilding the existing servers. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
At 05:36 PM 9/20/01 JoAnn A. Schlosser wrote: >OK. We just found out that our backup tapes are infected, too. Has anyone >found a way to clean this without a total reinstall? I am in the process of >copying the site files themselves to clean separately. If I can avoid a >total tear-down and rebuild, I would be eternally grateful. I don't think it's possible. I've spend most of the last two days attempting to clean the servers to point where I am comfortable, but have finally reached the decision to request the data center to provision new servers, and just move files and databases that I can certify as virus free, which will probably take less time than rebuilding the existing servers. ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Yes, we applied them all. Maybe the last one held. I don't know. Our ISP kindly replaced our exe files and I deleted the eml and nws files and am doing an extended search and replace on the whole server to clear out the javascripts written to the html and asp files. All is well in my world. JoAnn A. Schlosser Senior Consultant Association Management Software Grant Thornton LLP Washington, D. C. 703.837.4428 -Original Message- From: tom muck [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 7:01 PM To: CF-Talk Subject: Re: Code Red backdoor triggered? McAfee didn't have a patch for it until about noon the day it came out. It had already hit hard by then. They've since updated the DAT file 3 times, each one better than the last. tom <[EMAIL PROTECTED]> wrote in message 11EDC356EC3AD311AAD30008C75DAFFCB832A4@GTUS_IAD_E01">news:11EDC356EC3AD311AAD30008C75DAFFCB832A4@GTUS_IAD_E01... > We are running McAfee and had all patches applied to our IIS 4 and still got > it. Our ISP cleaned it up for us without us even asking. I found out when > I put in the work order to have them pull it from the rack for us. All > better! For now. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Code Red backdoor triggered?
McAfee didn't have a patch for it until about noon the day it came out. It had already hit hard by then. They've since updated the DAT file 3 times, each one better than the last. tom <[EMAIL PROTECTED]> wrote in message 11EDC356EC3AD311AAD30008C75DAFFCB832A4@GTUS_IAD_E01">news:11EDC356EC3AD311AAD30008C75DAFFCB832A4@GTUS_IAD_E01... > We are running McAfee and had all patches applied to our IIS 4 and still got > it. Our ISP cleaned it up for us without us even asking. I found out when > I put in the work order to have them pull it from the rack for us. All > better! For now. ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
We are running McAfee and had all patches applied to our IIS 4 and still got it. Our ISP cleaned it up for us without us even asking. I found out when I put in the work order to have them pull it from the rack for us. All better! For now. JoAnn A. Schlosser Senior Consultant Association Management Software Grant Thornton LLP Washington, D. C. 703.837.4428 -Original Message- From: tom muck [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 6:46 PM To: CF-Talk Subject: Re: Code Red backdoor triggered? Invest in a virus program and you can have it clean everything automatically. Don't waste your time trying to do it manually. Plus, you want to be warned if any further attacks come in. If any exe files have been corrupted, you'll have to reinstall those, but we had good luck running the virus software with the lastest DAT file. tom <[EMAIL PROTECTED]> wrote in message 11EDC356EC3AD311AAD30008C75DAFFCB8329B@GTUS_IAD_E01">news:11EDC356EC3AD311AAD30008C75DAFFCB8329B@GTUS_IAD_E01... > OK. We just found out that our backup tapes are infected, too. Has anyone > found a way to clean this without a total reinstall? I am in the process of > copying the site files themselves to clean separately. If I can avoid a > total tear-down and rebuild, I would be eternally grateful. > > JoAnn A. Schlosser > Senior Consultant > Association Management Software > Grant Thornton LLP > Washington, D. C. > 703.837.4428 > > > > -Original Message- > From: Frank Priest [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 20, 2001 5:16 PM > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > Thanks Robert, > > Norton has a cleanup solution now Fortunately the virus left .cfm files > alone:-) It's a major pain to clean up though. > > For anybody that still has problems with this, the renaming of the "cmd.exe" > file tip in an earlier post, helped me to get it at least under control > until Norton had a fix out. > > > Frank > > > > > -----Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 19, 2001 4:53 PM > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > Frank, > > According to CERT, you're out of luck. You're facing a network disconnect > and a ground-up reinstall. > > http://www.cert.org/tech_tips/win-UNIX-system_compromise.html > > Naturally you should research this thoroughly before doing something like > that. > > Sorry for the downer. > > --- > Matt Robertson[EMAIL PROTECTED] > MSB Designs, Inc., www.mysecretbase.com > --- > > >Anybody found a way to get rid of this thing? > >My Anti Virus software detects but can not do anything about it. > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Code Red backdoor triggered?
Invest in a virus program and you can have it clean everything automatically. Don't waste your time trying to do it manually. Plus, you want to be warned if any further attacks come in. If any exe files have been corrupted, you'll have to reinstall those, but we had good luck running the virus software with the lastest DAT file. tom <[EMAIL PROTECTED]> wrote in message 11EDC356EC3AD311AAD30008C75DAFFCB8329B@GTUS_IAD_E01">news:11EDC356EC3AD311AAD30008C75DAFFCB8329B@GTUS_IAD_E01... > OK. We just found out that our backup tapes are infected, too. Has anyone > found a way to clean this without a total reinstall? I am in the process of > copying the site files themselves to clean separately. If I can avoid a > total tear-down and rebuild, I would be eternally grateful. > > JoAnn A. Schlosser > Senior Consultant > Association Management Software > Grant Thornton LLP > Washington, D. C. > 703.837.4428 > > > > -Original Message- > From: Frank Priest [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 20, 2001 5:16 PM > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > Thanks Robert, > > Norton has a cleanup solution now Fortunately the virus left .cfm files > alone:-) It's a major pain to clean up though. > > For anybody that still has problems with this, the renaming of the "cmd.exe" > file tip in an earlier post, helped me to get it at least under control > until Norton had a fix out. > > > Frank > > > > > -----Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 19, 2001 4:53 PM > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > Frank, > > According to CERT, you're out of luck. You're facing a network disconnect > and a ground-up reinstall. > > http://www.cert.org/tech_tips/win-UNIX-system_compromise.html > > Naturally you should research this thoroughly before doing something like > that. > > Sorry for the downer. > > --- > Matt Robertson[EMAIL PROTECTED] > MSB Designs, Inc., www.mysecretbase.com > --- > > >Anybody found a way to get rid of this thing? > >My Anti Virus software detects but can not do anything about it. > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
OK. We just found out that our backup tapes are infected, too. Has anyone found a way to clean this without a total reinstall? I am in the process of copying the site files themselves to clean separately. If I can avoid a total tear-down and rebuild, I would be eternally grateful. JoAnn A. Schlosser Senior Consultant Association Management Software Grant Thornton LLP Washington, D. C. 703.837.4428 -Original Message- From: Frank Priest [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 5:16 PM To: CF-Talk Subject: RE: Code Red backdoor triggered? Thanks Robert, Norton has a cleanup solution now Fortunately the virus left .cfm files alone:-) It's a major pain to clean up though. For anybody that still has problems with this, the renaming of the "cmd.exe" file tip in an earlier post, helped me to get it at least under control until Norton had a fix out. Frank -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 4:53 PM To: CF-Talk Subject: RE: Code Red backdoor triggered? Frank, According to CERT, you're out of luck. You're facing a network disconnect and a ground-up reinstall. http://www.cert.org/tech_tips/win-UNIX-system_compromise.html Naturally you should research this thoroughly before doing something like that. Sorry for the downer. --- Matt Robertson[EMAIL PROTECTED] MSB Designs, Inc., www.mysecretbase.com --- >Anybody found a way to get rid of this thing? >My Anti Virus software detects but can not do anything about it. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Thanks Robert, Norton has a cleanup solution now Fortunately the virus left .cfm files alone:-) It's a major pain to clean up though. For anybody that still has problems with this, the renaming of the "cmd.exe" file tip in an earlier post, helped me to get it at least under control until Norton had a fix out. Frank -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 4:53 PM To: CF-Talk Subject: RE: Code Red backdoor triggered? Frank, According to CERT, you're out of luck. You're facing a network disconnect and a ground-up reinstall. http://www.cert.org/tech_tips/win-UNIX-system_compromise.html Naturally you should research this thoroughly before doing something like that. Sorry for the downer. --- Matt Robertson[EMAIL PROTECTED] MSB Designs, Inc., www.mysecretbase.com --- >Anybody found a way to get rid of this thing? >My Anti Virus software detects but can not do anything about it. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Code Red backdoor triggered?
How are we fighting this!!! It is killing my server response times!!! Thanks, Robert - Original Message - From: "Bill Davidson" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, September 18, 2001 1:32 PM Subject: Re: Code Red backdoor triggered? > Getting SLAMMED too... So far only on one box as far as I can tell, but it > is starting to generate so much traffic it is bringing it to its knees at > some regular intervals. We're definitely patched and have port blocking on > (not that that helps port 80), so hopefully this latest onslaught is > following the same rules as previous ones. > > There's some sick people out there - what is their electronic version of a > week ago's events? Give me a break > > -Bill > brainbox > - Original Message - > From: "Rich Wild" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Tuesday, September 18, 2001 10:37 AM > Subject: RE: Code Red backdoor triggered? > > > > even we're getting hammered with syn flood attacks. > > > > Rich Wild > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > Sent: 18 September 2001 15:52 > > > To: CF-Talk > > > Subject: FW: Code Red backdoor triggered? > > > > > > > > > It seems there may be some unusual network activity today > > > worth noting. > > > > > > Dave Watts, CTO, Fig Leaf Software > > > http://www.figleaf.com/ > > > voice: (202) 797-5496 > > > fax: (202) 797-5444 > > > > > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, 18 September, 2001 10:49 > > > To: [EMAIL PROTECTED] > > > Subject: RE: Code Red backdoor triggered? > > > > > > > > > > Heads up. Pay attention to your servers today. I just > > > > started detecting a *ton* of these requests. I think it's > > > > a follow-up worm programmed to take advantage of the > > > > backdoors Code Red dropped on infected computers. Maybe a > > > > Code Red III? > > > > > > > > -Cameron > > > > > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > > > dhcp181.onewebsystems.com > > > > (130.205.102.181) on port 80 (tcp). > > > > [09/18/2001 09:25:55.166 GMT-0400] GET > > > > /scripts/root.exe?/c+dir HTTP/1.0 > > > > Host: www > > > > Connnection: close > > > > > > After a more careful reading, I don't think this is an attack > > > at all. I > > > think it's worse than an attack. > > > > > > The GET request doesn't do anything except run the DOS dir > > > command using the > > > command processor. But, if a server responds with an HTTP 200 > > > status code, > > > this indicates that the server is vulnerable to running > > > cmd.exe through the > > > web server. > > > > > > So, my guess is that this is a vulnerability scan. Once a > > > list of vulnerable > > > servers is compiled, a real attack would take much less time > > > than a Code > > > Red-style attack, since you could build the list of > > > vulnerable servers into > > > the attack code! > > > > > > This idea has been discussed a bit in the last month or so - > > > it's called a > > > "Warhol" worm, the idea being that an attack might cover the mass of > > > vulnerable machines in fifteen minutes. Here's a URL to the article: > > > > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 > > 5&mode=nocomme > > nt&threshold= > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > -- > -- > > > > Control your subscriptions to ACFUG lists via the ACFUG website at > > > > > ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Frank, According to CERT, you're out of luck. You're facing a network disconnect and a ground-up reinstall. http://www.cert.org/tech_tips/win-UNIX-system_compromise.html Naturally you should research this thoroughly before doing something like that. Sorry for the downer. --- Matt Robertson[EMAIL PROTECTED] MSB Designs, Inc., www.mysecretbase.com --- >Anybody found a way to get rid of this thing? >My Anti Virus software detects but can not do anything about it. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Code Red backdoor triggered?
Getting SLAMMED too... So far only on one box as far as I can tell, but it is starting to generate so much traffic it is bringing it to its knees at some regular intervals. We're definitely patched and have port blocking on (not that that helps port 80), so hopefully this latest onslaught is following the same rules as previous ones. There's some sick people out there - what is their electronic version of a week ago's events? Give me a break -Bill brainbox - Original Message - From: "Rich Wild" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, September 18, 2001 10:37 AM Subject: RE: Code Red backdoor triggered? > even we're getting hammered with syn flood attacks. > > Rich Wild > > > -Original Message- > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > Sent: 18 September 2001 15:52 > > To: CF-Talk > > Subject: FW: Code Red backdoor triggered? > > > > > > It seems there may be some unusual network activity today > > worth noting. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > > > > -----Original Message----- > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, 18 September, 2001 10:49 > > To: [EMAIL PROTECTED] > > Subject: RE: Code Red backdoor triggered? > > > > > > > Heads up. Pay attention to your servers today. I just > > > started detecting a *ton* of these requests. I think it's > > > a follow-up worm programmed to take advantage of the > > > backdoors Code Red dropped on infected computers. Maybe a > > > Code Red III? > > > > > > -Cameron > > > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > > dhcp181.onewebsystems.com > > > (130.205.102.181) on port 80 (tcp). > > > [09/18/2001 09:25:55.166 GMT-0400] GET > > > /scripts/root.exe?/c+dir HTTP/1.0 > > > Host: www > > > Connnection: close > > > > After a more careful reading, I don't think this is an attack > > at all. I > > think it's worse than an attack. > > > > The GET request doesn't do anything except run the DOS dir > > command using the > > command processor. But, if a server responds with an HTTP 200 > > status code, > > this indicates that the server is vulnerable to running > > cmd.exe through the > > web server. > > > > So, my guess is that this is a vulnerability scan. Once a > > list of vulnerable > > servers is compiled, a real attack would take much less time > > than a Code > > Red-style attack, since you could build the list of > > vulnerable servers into > > the attack code! > > > > This idea has been discussed a bit in the last month or so - > > it's called a > > "Warhol" worm, the idea being that an attack might cover the mass of > > vulnerable machines in fifteen minutes. Here's a URL to the article: > > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 > 5&mode=nocomme > nt&threshold= > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > -- -- > > Control your subscriptions to ACFUG lists via the ACFUG website at > > ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Code Red backdoor triggered?
Looks like I'm getting about 310 or so per minute, if the 1-minute sample I took is representative. Deleted a 15mb log of attempts and its already grown to 1mb again. The Microsoft urlscan tool is keeping all of this out of the IIS logs. Interestingly, *all* of the default.ida requests I *used* to get have disappeared to be replaced by all of these blasted malformed requests for cmd.exe. That tells me this is the old Code Red II morphing into something new. Possibly a warhol-style worm has body-slammed all of the previously-infected CR II boxes with some new task to accomplish? BAH! - Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com - - Original Message - From: "Tristram Charnley" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, September 18, 2001 9:17 AM Subject: RE: Code Red backdoor triggered? Yes we're getting hammered too - exactly the same requests Tristram Charnley ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Does anyone know what the Log signature for Apache is for this new virus/worm? Leon -Original Message- From: Kelly Matthews [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:54 AM To: CF-Talk Subject: RE: Code Red backdoor triggered? I use black ice on my server. THe code red used to come in as IIS system32 command course since i was patched it did nothing, well today i have a PLETHORA of attacks all labeled EITHER HTTP UTF8 backlick and HTTP URL with double-encoded .. My guess is it's a new worm we are getting SLAMMED but it's not shutting down services like before the firewall is currently blocking it but not sure exactly what its trying to do. KElly -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:26 AM To: CF-Talk Subject: FW: Code Red backdoor triggered? More on the .eml files. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -Original Message- From: Dave Watts Sent: Tuesday, 18 September, 2001 11:25 To: '[EMAIL PROTECTED]' Subject: RE: Code Red backdoor triggered? > It looks like when you surf to an infected site, it opens IE > with a file named readme.eml which appears to contain a readme.exe. > I don't have an email client on the server so I dont know what > would happen if I did and I am not going to test it out. I > also see a number (at least 10 - haven't counted yet) of > different sites sending out requests, and interestingly they > are all in the same subnet: my ip is 209.186.186.37 and they > are all from 209.x.x.x I just checked the logfile for one virtual server here, and I'm getting lots of attacks from similar network addresses. I used a command-line HTTP browser to connect to one of the attacking IPs, and saw the same "readme.eml" thing, at the bottom of what appeared to be a regular page. Based on my reading of the logfile, I think this is some Code Red variant or followup; it's using the Code Red-specific backdoors mentioned in the incidents.org URL Cameron posted. The only thing that doesn't sound right to me is that I thought the Code Red trojan payload only worked with Win2K (simply crashing IIS on NT 4), but several of the attacking servers are identifying themselves as IIS 4. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
>>We have temporarily renamed cmd.exe will that potential have any side effects? Guess I'll find out. Eric Dawson From: "Larry Juncker" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: CF-Talk <[EMAIL PROTECTED]> Subject: RE: Code Red backdoor triggered? Date: Tue, 18 Sep 2001 11:12:22 -0500 We are having the same thing happen. From looking at the IIS logs, this worm or whatever is using cmd.exe. We have temporarily renamed cmd.exe in the system32 folder of NT until we can ths caught and under control. Larry Juncker Senior Cold Fusion Developer Heartland Communications Group, Inc. [EMAIL PROTECTED] -Original Message- From: Rich Wild [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:58 AM To: CF-Talk Subject: RE: Code Red backdoor triggered? > Can you tell us Rich if it is impacting the servers ?? nah - filling up firewall but nothing else. Are you > patched, and does this thing use something new or is it the same > exploit as before... Yeah - we're patched dunno - we never got hit before. > -Original Message- > From: Paris Lundis [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 16:03 > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > Uggh! not the code-red variations again... > > Can you tell us Rich if it is impacting the servers ?? Are you > patched, and does this thing use something new or is it the same > exploit as before... > > Seems like it is becoming a net-30 terror :) > > -paris > [finding the future in the past, passing the future in the present] > [connecting people, places and things] > > > -Original Message- > From: Rich Wild <[EMAIL PROTECTED]> > Date: Tue, 18 Sep 2001 15:37:13 +0100 > Subject: RE: Code Red backdoor triggered? > > > even we're getting hammered with syn flood attacks. > > > > Rich Wild > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > Sent: 18 September 2001 15:52 > > > To: CF-Talk > > > Subject: FW: Code Red backdoor triggered? > > > > > > > > > It seems there may be some unusual network activity today > > > worth noting. > > > > > > Dave Watts, CTO, Fig Leaf Software > > > http://www.figleaf.com/ > > > voice: (202) 797-5496 > > > fax: (202) 797-5444 > > > > > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, 18 September, 2001 10:49 > > > To: [EMAIL PROTECTED] > > > Subject: RE: Code Red backdoor triggered? > > > > > > > > > > Heads up. Pay attention to your servers today. I just > > > > started detecting a *ton* of these requests. I think it's > > > > a follow-up worm programmed to take advantage of the > > > > backdoors Code Red dropped on infected computers. Maybe a > > > > Code Red III? > > > > > > > > -Cameron > > > > > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > > > dhcp181.onewebsystems.com > > > > (130.205.102.181) on port 80 (tcp). > > > > [09/18/2001 09:25:55.166 GMT-0400] GET > > > > /scripts/root.exe?/c+dir HTTP/1.0 > > > > Host: www > > > > Connnection: close > > > > > > After a more careful reading, I don't think this is an attack > > > at all. I > > > think it's worse than an attack. > > > > > > The GET request doesn't do anything except run the DOS dir > > > command using the > > > command processor. But, if a server responds with an HTTP 200 > > > status code, > > > this indicates that the server is vulnerable to running > > > cmd.exe through the > > > web server. > > > > > > So, my guess is that this is a vulnerability scan. Once a > > > list of vulnerable > > > servers is compiled, a real attack would take much less time > > > than a Code > > > Red-style attack, since you could build the list of > > > vulnerable servers into > > > the attack code! > > > > > > This idea has been discussed a bit in the last month or so - > > > it's called a > > > "Warhol" worm, the idea being that an attack might cover the mass > > of > > > vulnerable machines in fifteen minutes. Here's a URL to the > > article: > > > > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 > > 5&mode=nocomme > > nt&threshold= > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > - > > --- > > > > Control your subscriptions to ACFUG lists via the ACFUG website at > > > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Internet Terrorism? Rich -Original Message- From: Tristram Charnley [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:17 PM To: CF-Talk Subject: RE: Code Red backdoor triggered? Yes we're getting hammered too - exactly the same requests Tristram Charnley ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
yep that's the one... -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:01 PM To: CF-Talk Subject: RE: Code Red backdoor triggered? This may or may not be relevant but i've just deleted an email from someone i dont know which I'm sure had a virus attached. It has a exe. file attached called readme.exe. I recieved a virus warning and jsut deleted it! Kola Oyedeji Web developer Macromedia Certified Advanced ColdFusion 5 Developer http://www.Alexandermark.com (+44)020-8429-7300 > -Original Message- > From: Rich Wild [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 15:58 > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > > Can you tell us Rich if it is impacting the servers ?? > > nah - filling up firewall but nothing else. > > Are you > > patched, and does this thing use something new or is it the same > > exploit as before... > > Yeah - we're patched > > dunno - we never got hit before. > > > -Original Message- > > From: Paris Lundis [mailto:[EMAIL PROTECTED]] > > Sent: 18 September 2001 16:03 > > To: CF-Talk > > Subject: RE: Code Red backdoor triggered? > > > > > > Uggh! not the code-red variations again... > > > > Can you tell us Rich if it is impacting the servers ?? Are you > > patched, and does this thing use something new or is it the same > > exploit as before... > > > > Seems like it is becoming a net-30 terror :) > > > > -paris > > [finding the future in the past, passing the future in the present] > > [connecting people, places and things] > > > > > > -Original Message- > > From: Rich Wild <[EMAIL PROTECTED]> > > Date: Tue, 18 Sep 2001 15:37:13 +0100 > > Subject: RE: Code Red backdoor triggered? > > > > > even we're getting hammered with syn flood attacks. > > > > > > Rich Wild > > > > > > > -Original Message- > > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > > Sent: 18 September 2001 15:52 > > > > To: CF-Talk > > > > Subject: FW: Code Red backdoor triggered? > > > > > > > > > > > > It seems there may be some unusual network activity today > > > > worth noting. > > > > > > > > Dave Watts, CTO, Fig Leaf Software > > > > http://www.figleaf.com/ > > > > voice: (202) 797-5496 > > > > fax: (202) 797-5444 > > > > > > > > > > > > -Original Message- > > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > > Sent: Tuesday, 18 September, 2001 10:49 > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: Code Red backdoor triggered? > > > > > > > > > > > > > Heads up. Pay attention to your servers today. I just > > > > > started detecting a *ton* of these requests. I think it's > > > > > a follow-up worm programmed to take advantage of the > > > > > backdoors Code Red dropped on infected computers. Maybe a > > > > > Code Red III? > > > > > > > > > > -Cameron > > > > > > > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > > > > dhcp181.onewebsystems.com > > > > > (130.205.102.181) on port 80 (tcp). > > > > > [09/18/2001 09:25:55.166 GMT-0400] GET > > > > > /scripts/root.exe?/c+dir HTTP/1.0 > > > > > Host: www > > > > > Connnection: close > > > > > > > > After a more careful reading, I don't think this is an attack > > > > at all. I > > > > think it's worse than an attack. > > > > > > > > The GET request doesn't do anything except run the DOS dir > > > > command using the > > > > command processor. But, if a server responds with an HTTP 200 > > > > status code, > > > > this indicates that the server is vulnerable to running > > > > cmd.exe through the > > > > web server. > > > > > > > > So, my guess is that this is a vulnerability scan. Once a > > > > list of vulnerable > > > > servers is compiled, a real attack would take much less time > > > > than a Code > > > > Red-style attack, since you could build the list of > > > > vulnerable servers into > > > > the attack code! > > > > > > > > This idea has been discussed a bit in the last month or so - > > > > it's called a > > > > "Warhol" worm, the idea being that an attack might > cover the mass > > > of > > > > vulnerable machines in fifteen minutes. Here's a URL to the > > > article: > > > > > > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 > > > 5&mode=nocomme > > > nt&threshold= > > > > > > Dave Watts, CTO, Fig Leaf Software > > > http://www.figleaf.com/ > > > voice: (202) 797-5496 > > > fax: (202) 797-5444 > > > > > > - > > > --- > > > > > > Control your subscriptions to ACFUG lists via the ACFUG website at > > > > > > > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Here's info: http:[EMAIL PROTECTED] Our servers are struggling under the weight of it. H. Howard Owens Internet Operations Coordinator www.insidevc.com [EMAIL PROTECTED] AIM: GoCatGo1956 > -Original Message- > From: Kola Oyedeji [SMTP:[EMAIL PROTECTED]] > Sent: Tuesday, September 18, 2001 9:01 AM > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > This may or may not be relevant but i've just deleted an email from > someone > i dont know which I'm sure had a virus attached. It has a exe. file > attached called readme.exe. I recieved a virus warning and jsut deleted > it! > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
We are having the same thing happen. From looking at the IIS logs, this worm or whatever is using cmd.exe. We have temporarily renamed cmd.exe in the system32 folder of NT until we can ths caught and under control. Larry Juncker Senior Cold Fusion Developer Heartland Communications Group, Inc. [EMAIL PROTECTED] -Original Message- From: Rich Wild [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:58 AM To: CF-Talk Subject: RE: Code Red backdoor triggered? > Can you tell us Rich if it is impacting the servers ?? nah - filling up firewall but nothing else. Are you > patched, and does this thing use something new or is it the same > exploit as before... Yeah - we're patched dunno - we never got hit before. > -Original Message- > From: Paris Lundis [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 16:03 > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > Uggh! not the code-red variations again... > > Can you tell us Rich if it is impacting the servers ?? Are you > patched, and does this thing use something new or is it the same > exploit as before... > > Seems like it is becoming a net-30 terror :) > > -paris > [finding the future in the past, passing the future in the present] > [connecting people, places and things] > > > -Original Message- > From: Rich Wild <[EMAIL PROTECTED]> > Date: Tue, 18 Sep 2001 15:37:13 +0100 > Subject: RE: Code Red backdoor triggered? > > > even we're getting hammered with syn flood attacks. > > > > Rich Wild > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > Sent: 18 September 2001 15:52 > > > To: CF-Talk > > > Subject: FW: Code Red backdoor triggered? > > > > > > > > > It seems there may be some unusual network activity today > > > worth noting. > > > > > > Dave Watts, CTO, Fig Leaf Software > > > http://www.figleaf.com/ > > > voice: (202) 797-5496 > > > fax: (202) 797-5444 > > > > > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, 18 September, 2001 10:49 > > > To: [EMAIL PROTECTED] > > > Subject: RE: Code Red backdoor triggered? > > > > > > > > > > Heads up. Pay attention to your servers today. I just > > > > started detecting a *ton* of these requests. I think it's > > > > a follow-up worm programmed to take advantage of the > > > > backdoors Code Red dropped on infected computers. Maybe a > > > > Code Red III? > > > > > > > > -Cameron > > > > > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > > > dhcp181.onewebsystems.com > > > > (130.205.102.181) on port 80 (tcp). > > > > [09/18/2001 09:25:55.166 GMT-0400] GET > > > > /scripts/root.exe?/c+dir HTTP/1.0 > > > > Host: www > > > > Connnection: close > > > > > > After a more careful reading, I don't think this is an attack > > > at all. I > > > think it's worse than an attack. > > > > > > The GET request doesn't do anything except run the DOS dir > > > command using the > > > command processor. But, if a server responds with an HTTP 200 > > > status code, > > > this indicates that the server is vulnerable to running > > > cmd.exe through the > > > web server. > > > > > > So, my guess is that this is a vulnerability scan. Once a > > > list of vulnerable > > > servers is compiled, a real attack would take much less time > > > than a Code > > > Red-style attack, since you could build the list of > > > vulnerable servers into > > > the attack code! > > > > > > This idea has been discussed a bit in the last month or so - > > > it's called a > > > "Warhol" worm, the idea being that an attack might cover the mass > > of > > > vulnerable machines in fifteen minutes. Here's a URL to the > > article: > > > > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 > > 5&mode=nocomme > > nt&threshold= > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > - > > --- > > > > Control your subscriptions to ACFUG lists via the ACFUG website at > > > > > ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
I use black ice on my server. THe code red used to come in as IIS system32 command course since i was patched it did nothing, well today i have a PLETHORA of attacks all labeled EITHER HTTP UTF8 backlick and HTTP URL with double-encoded .. My guess is it's a new worm we are getting SLAMMED but it's not shutting down services like before the firewall is currently blocking it but not sure exactly what its trying to do. KElly -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:26 AM To: CF-Talk Subject: FW: Code Red backdoor triggered? More on the .eml files. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -Original Message- From: Dave Watts Sent: Tuesday, 18 September, 2001 11:25 To: '[EMAIL PROTECTED]' Subject: RE: Code Red backdoor triggered? > It looks like when you surf to an infected site, it opens IE > with a file named readme.eml which appears to contain a readme.exe. > I don't have an email client on the server so I dont know what > would happen if I did and I am not going to test it out. I > also see a number (at least 10 - haven't counted yet) of > different sites sending out requests, and interestingly they > are all in the same subnet: my ip is 209.186.186.37 and they > are all from 209.x.x.x I just checked the logfile for one virtual server here, and I'm getting lots of attacks from similar network addresses. I used a command-line HTTP browser to connect to one of the attacking IPs, and saw the same "readme.eml" thing, at the bottom of what appeared to be a regular page. Based on my reading of the logfile, I think this is some Code Red variant or followup; it's using the Code Red-specific backdoors mentioned in the incidents.org URL Cameron posted. The only thing that doesn't sound right to me is that I thought the Code Red trojan payload only worked with Win2K (simply crashing IIS on NT 4), but several of the attacking servers are identifying themselves as IIS 4. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Yes we're getting hammered too - exactly the same requests Tristram Charnley ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
This may or may not be relevant but i've just deleted an email from someone i dont know which I'm sure had a virus attached. It has a exe. file attached called readme.exe. I recieved a virus warning and jsut deleted it! Kola Oyedeji Web developer Macromedia Certified Advanced ColdFusion 5 Developer http://www.Alexandermark.com (+44)020-8429-7300 > -Original Message- > From: Rich Wild [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 15:58 > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > > Can you tell us Rich if it is impacting the servers ?? > > nah - filling up firewall but nothing else. > > Are you > > patched, and does this thing use something new or is it the same > > exploit as before... > > Yeah - we're patched > > dunno - we never got hit before. > > > -Original Message- > > From: Paris Lundis [mailto:[EMAIL PROTECTED]] > > Sent: 18 September 2001 16:03 > > To: CF-Talk > > Subject: RE: Code Red backdoor triggered? > > > > > > Uggh! not the code-red variations again... > > > > Can you tell us Rich if it is impacting the servers ?? Are you > > patched, and does this thing use something new or is it the same > > exploit as before... > > > > Seems like it is becoming a net-30 terror :) > > > > -paris > > [finding the future in the past, passing the future in the present] > > [connecting people, places and things] > > > > > > -Original Message- > > From: Rich Wild <[EMAIL PROTECTED]> > > Date: Tue, 18 Sep 2001 15:37:13 +0100 > > Subject: RE: Code Red backdoor triggered? > > > > > even we're getting hammered with syn flood attacks. > > > > > > Rich Wild > > > > > > > -Original Message- > > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > > Sent: 18 September 2001 15:52 > > > > To: CF-Talk > > > > Subject: FW: Code Red backdoor triggered? > > > > > > > > > > > > It seems there may be some unusual network activity today > > > > worth noting. > > > > > > > > Dave Watts, CTO, Fig Leaf Software > > > > http://www.figleaf.com/ > > > > voice: (202) 797-5496 > > > > fax: (202) 797-5444 > > > > > > > > > > > > -Original Message- > > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > > Sent: Tuesday, 18 September, 2001 10:49 > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: Code Red backdoor triggered? > > > > > > > > > > > > > Heads up. Pay attention to your servers today. I just > > > > > started detecting a *ton* of these requests. I think it's > > > > > a follow-up worm programmed to take advantage of the > > > > > backdoors Code Red dropped on infected computers. Maybe a > > > > > Code Red III? > > > > > > > > > > -Cameron > > > > > > > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > > > > dhcp181.onewebsystems.com > > > > > (130.205.102.181) on port 80 (tcp). > > > > > [09/18/2001 09:25:55.166 GMT-0400] GET > > > > > /scripts/root.exe?/c+dir HTTP/1.0 > > > > > Host: www > > > > > Connnection: close > > > > > > > > After a more careful reading, I don't think this is an attack > > > > at all. I > > > > think it's worse than an attack. > > > > > > > > The GET request doesn't do anything except run the DOS dir > > > > command using the > > > > command processor. But, if a server responds with an HTTP 200 > > > > status code, > > > > this indicates that the server is vulnerable to running > > > > cmd.exe through the > > > > web server. > > > > > > > > So, my guess is that this is a vulnerability scan. Once a > > > > list of vulnerable > > > > servers is compiled, a real attack would take much less time > > > > than a Code > > > > Red-style attack, since you could build the list of > > > > vulnerable servers into > > > > the attack code! > > > > > > > > This idea has been discussed a bit in the last month or so - > > > > it's called a > > > > "Warhol" worm, the idea being that an attack might > cover the mass > > > of > > > > vulnerable machines in fifteen minutes. Here's a URL to the > > > article: > > > > > > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 > > > 5&mode=nocomme > > > nt&threshold= > > > > > > Dave Watts, CTO, Fig Leaf Software > > > http://www.figleaf.com/ > > > voice: (202) 797-5496 > > > fax: (202) 797-5444 > > > > > > - > > > --- > > > > > > Control your subscriptions to ACFUG lists via the ACFUG website at > > > > > > > > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Code Red backdoor triggered?
Jay Sudowski - Handy Networks LLC wrote: > Gr. We're getting hammered with something across three of our > servers. Data transfer is up 600% compared to normal. > > Today is gonna be one of those days ... We are seeing a slight increase in traffic as of 13:05 UTC today. From the log files it appears to be a combination of Code Red II and the new Code Blue/Code Red III or whatever it is called (the one that tries to exploit the directory traversal bug). But it is not as bad as last time. On the least busy segment it shows as a 10% traffic increase, but it doesn't show at all on the Gb links. Isn't Code Red set to activate around the 19th of every month? Jochem ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Yeah, eml is a email file... Looks as though this is a new IIS whole... -Original Message- From: Carlisle, Eric [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:14 AM To: CF-Talk Subject: RE: Code Red backdoor triggered? I'll show my ignorance. A .eml file is a kind of MS spool file, right? Does the virus pose as one of these files? EC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:02 PM To: CF-Talk Subject: RE: Code Red backdoor triggered? Check for *.eml files on your IIS boxes, we got them everywhere...and our virus software is not picking anything up at all... -Original Message- From: Rich Wild [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:37 AM To: CF-Talk Subject: RE: Code Red backdoor triggered? even we're getting hammered with syn flood attacks. Rich Wild > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 15:52 > To: CF-Talk > Subject: FW: Code Red backdoor triggered? > > > It seems there may be some unusual network activity today > worth noting. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, 18 September, 2001 10:49 > To: [EMAIL PROTECTED] > Subject: RE: Code Red backdoor triggered? > > > > Heads up. Pay attention to your servers today. I just > > started detecting a *ton* of these requests. I think it's > > a follow-up worm programmed to take advantage of the > > backdoors Code Red dropped on infected computers. Maybe a > > Code Red III? > > > > -Cameron > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > dhcp181.onewebsystems.com > > (130.205.102.181) on port 80 (tcp). > > [09/18/2001 09:25:55.166 GMT-0400] GET > > /scripts/root.exe?/c+dir HTTP/1.0 > > Host: www > > Connnection: close > > After a more careful reading, I don't think this is an attack > at all. I > think it's worse than an attack. > > The GET request doesn't do anything except run the DOS dir > command using the > command processor. But, if a server responds with an HTTP 200 > status code, > this indicates that the server is vulnerable to running > cmd.exe through the > web server. > > So, my guess is that this is a vulnerability scan. Once a > list of vulnerable > servers is compiled, a real attack would take much less time > than a Code > Red-style attack, since you could build the list of > vulnerable servers into > the attack code! > > This idea has been discussed a bit in the last month or so - > it's called a > "Warhol" worm, the idea being that an attack might cover the mass of > vulnerable machines in fifteen minutes. Here's a URL to the article: > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 5&mode=nocomme nt&threshold= Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 Control your subscriptions to ACFUG lists via the ACFUG website at ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Code Red backdoor triggered?
we're seeing a HUGE number of hits all containing :- port=3641 probes and URL=/c/winnt/system32/cmd.exe attempts and guess where they're coming from ? the exact same machines that rountinly have been doing the code red thing . Damn Message - From: "Paris Lundis" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, September 18, 2001 8:02 AM Subject: RE: Code Red backdoor triggered? > Uggh! not the code-red variations again... > > Can you tell us Rich if it is impacting the servers ?? Are you > patched, and does this thing use something new or is it the same > exploit as before... > > Seems like it is becoming a net-30 terror :) > > -paris > [finding the future in the past, passing the future in the present] > [connecting people, places and things] > > > -Original Message- > From: Rich Wild <[EMAIL PROTECTED]> > Date: Tue, 18 Sep 2001 15:37:13 +0100 > Subject: RE: Code Red backdoor triggered? > > > even we're getting hammered with syn flood attacks. > > > > Rich Wild > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > Sent: 18 September 2001 15:52 > > > To: CF-Talk > > > Subject: FW: Code Red backdoor triggered? > > > > > > > > > It seems there may be some unusual network activity today > > > worth noting. > > > > > > Dave Watts, CTO, Fig Leaf Software > > > http://www.figleaf.com/ > > > voice: (202) 797-5496 > > > fax: (202) 797-5444 > > > > > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, 18 September, 2001 10:49 > > > To: [EMAIL PROTECTED] > > > Subject: RE: Code Red backdoor triggered? > > > > > > > > > > Heads up. Pay attention to your servers today. I just > > > > started detecting a *ton* of these requests. I think it's > > > > a follow-up worm programmed to take advantage of the > > > > backdoors Code Red dropped on infected computers. Maybe a > > > > Code Red III? > > > > > > > > -Cameron > > > > > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > > > dhcp181.onewebsystems.com > > > > (130.205.102.181) on port 80 (tcp). > > > > [09/18/2001 09:25:55.166 GMT-0400] GET > > > > /scripts/root.exe?/c+dir HTTP/1.0 > > > > Host: www > > > > Connnection: close > > > > > > After a more careful reading, I don't think this is an attack > > > at all. I > > > think it's worse than an attack. > > > > > > The GET request doesn't do anything except run the DOS dir > > > command using the > > > command processor. But, if a server responds with an HTTP 200 > > > status code, > > > this indicates that the server is vulnerable to running > > > cmd.exe through the > > > web server. > > > > > > So, my guess is that this is a vulnerability scan. Once a > > > list of vulnerable > > > servers is compiled, a real attack would take much less time > > > than a Code > > > Red-style attack, since you could build the list of > > > vulnerable servers into > > > the attack code! > > > > > > This idea has been discussed a bit in the last month or so - > > > it's called a > > > "Warhol" worm, the idea being that an attack might cover the mass > > of > > > vulnerable machines in fifteen minutes. Here's a URL to the > > article: > > > > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 > > 5&mode=nocomme > > nt&threshold= > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > - > > --- > > > > Control your subscriptions to ACFUG lists via the ACFUG website at > > > > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
we have loads of *.eml files, but they're just bad emails from the mailspool, nothing to worry about. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 17:02 > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > Check for *.eml files on your IIS boxes, we got them > everywhere...and our > virus software is not picking anything up at all... > > > > -Original Message- > From: Rich Wild [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 18, 2001 9:37 AM > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > even we're getting hammered with syn flood attacks. > > Rich Wild > > > -Original Message- > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > Sent: 18 September 2001 15:52 > > To: CF-Talk > > Subject: FW: Code Red backdoor triggered? > > > > > > It seems there may be some unusual network activity today > > worth noting. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > > > > -Original Message- > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, 18 September, 2001 10:49 > > To: [EMAIL PROTECTED] > > Subject: RE: Code Red backdoor triggered? > > > > > > > Heads up. Pay attention to your servers today. I just > > > started detecting a *ton* of these requests. I think it's > > > a follow-up worm programmed to take advantage of the > > > backdoors Code Red dropped on infected computers. Maybe a > > > Code Red III? > > > > > > -Cameron > > > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > > dhcp181.onewebsystems.com > > > (130.205.102.181) on port 80 (tcp). > > > [09/18/2001 09:25:55.166 GMT-0400] GET > > > /scripts/root.exe?/c+dir HTTP/1.0 > > > Host: www > > > Connnection: close > > > > After a more careful reading, I don't think this is an attack > > at all. I > > think it's worse than an attack. > > > > The GET request doesn't do anything except run the DOS dir > > command using the > > command processor. But, if a server responds with an HTTP 200 > > status code, > > this indicates that the server is vulnerable to running > > cmd.exe through the > > web server. > > > > So, my guess is that this is a vulnerability scan. Once a > > list of vulnerable > > servers is compiled, a real attack would take much less time > > than a Code > > Red-style attack, since you could build the list of > > vulnerable servers into > > the attack code! > > > > This idea has been discussed a bit in the last month or so - > > it's called a > > "Warhol" worm, the idea being that an attack might cover the mass of > > vulnerable machines in fifteen minutes. Here's a URL to the article: > > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 > 5&mode=nocomme > nt&threshold= > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > -- > -- > > Control your subscriptions to ACFUG lists via the ACFUG website at > > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
> Can you tell us Rich if it is impacting the servers ?? nah - filling up firewall but nothing else. Are you > patched, and does this thing use something new or is it the same > exploit as before... Yeah - we're patched dunno - we never got hit before. > -Original Message- > From: Paris Lundis [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 16:03 > To: CF-Talk > Subject: RE: Code Red backdoor triggered? > > > Uggh! not the code-red variations again... > > Can you tell us Rich if it is impacting the servers ?? Are you > patched, and does this thing use something new or is it the same > exploit as before... > > Seems like it is becoming a net-30 terror :) > > -paris > [finding the future in the past, passing the future in the present] > [connecting people, places and things] > > > -Original Message- > From: Rich Wild <[EMAIL PROTECTED]> > Date: Tue, 18 Sep 2001 15:37:13 +0100 > Subject: RE: Code Red backdoor triggered? > > > even we're getting hammered with syn flood attacks. > > > > Rich Wild > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > Sent: 18 September 2001 15:52 > > > To: CF-Talk > > > Subject: FW: Code Red backdoor triggered? > > > > > > > > > It seems there may be some unusual network activity today > > > worth noting. > > > > > > Dave Watts, CTO, Fig Leaf Software > > > http://www.figleaf.com/ > > > voice: (202) 797-5496 > > > fax: (202) 797-5444 > > > > > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, 18 September, 2001 10:49 > > > To: [EMAIL PROTECTED] > > > Subject: RE: Code Red backdoor triggered? > > > > > > > > > > Heads up. Pay attention to your servers today. I just > > > > started detecting a *ton* of these requests. I think it's > > > > a follow-up worm programmed to take advantage of the > > > > backdoors Code Red dropped on infected computers. Maybe a > > > > Code Red III? > > > > > > > > -Cameron > > > > > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > > > dhcp181.onewebsystems.com > > > > (130.205.102.181) on port 80 (tcp). > > > > [09/18/2001 09:25:55.166 GMT-0400] GET > > > > /scripts/root.exe?/c+dir HTTP/1.0 > > > > Host: www > > > > Connnection: close > > > > > > After a more careful reading, I don't think this is an attack > > > at all. I > > > think it's worse than an attack. > > > > > > The GET request doesn't do anything except run the DOS dir > > > command using the > > > command processor. But, if a server responds with an HTTP 200 > > > status code, > > > this indicates that the server is vulnerable to running > > > cmd.exe through the > > > web server. > > > > > > So, my guess is that this is a vulnerability scan. Once a > > > list of vulnerable > > > servers is compiled, a real attack would take much less time > > > than a Code > > > Red-style attack, since you could build the list of > > > vulnerable servers into > > > the attack code! > > > > > > This idea has been discussed a bit in the last month or so - > > > it's called a > > > "Warhol" worm, the idea being that an attack might cover the mass > > of > > > vulnerable machines in fifteen minutes. Here's a URL to the > > article: > > > > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 > > 5&mode=nocomme > > nt&threshold= > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > - > > --- > > > > Control your subscriptions to ACFUG lists via the ACFUG website at > > > > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Gr. We're getting hammered with something across three of our servers. Data transfer is up 600% compared to normal. Today is gonna be one of those days ... -Original Message- From: Rich Wild [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:37 AM To: CF-Talk Subject: RE: Code Red backdoor triggered? even we're getting hammered with syn flood attacks. Rich Wild > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 15:52 > To: CF-Talk > Subject: FW: Code Red backdoor triggered? > > > It seems there may be some unusual network activity today > worth noting. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, 18 September, 2001 10:49 > To: [EMAIL PROTECTED] > Subject: RE: Code Red backdoor triggered? > > > > Heads up. Pay attention to your servers today. I just > > started detecting a *ton* of these requests. I think it's > > a follow-up worm programmed to take advantage of the > > backdoors Code Red dropped on infected computers. Maybe a > > Code Red III? > > > > -Cameron > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > dhcp181.onewebsystems.com > > (130.205.102.181) on port 80 (tcp). > > [09/18/2001 09:25:55.166 GMT-0400] GET > > /scripts/root.exe?/c+dir HTTP/1.0 > > Host: www > > Connnection: close > > After a more careful reading, I don't think this is an attack > at all. I > think it's worse than an attack. > > The GET request doesn't do anything except run the DOS dir > command using the > command processor. But, if a server responds with an HTTP 200 > status code, > this indicates that the server is vulnerable to running > cmd.exe through the > web server. > > So, my guess is that this is a vulnerability scan. Once a > list of vulnerable > servers is compiled, a real attack would take much less time > than a Code > Red-style attack, since you could build the list of > vulnerable servers into > the attack code! > > This idea has been discussed a bit in the last month or so - > it's called a > "Warhol" worm, the idea being that an attack might cover the mass of > vulnerable machines in fifteen minutes. Here's a URL to the article: > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 5&mode=nocomment&threshol= Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 Control your subscriptions to ACFUG lists via the ACFUG website at ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
I'll show my ignorance. A .eml file is a kind of MS spool file, right? Does the virus pose as one of these files? EC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:02 PM To: CF-Talk Subject: RE: Code Red backdoor triggered? Check for *.eml files on your IIS boxes, we got them everywhere...and our virus software is not picking anything up at all... -Original Message- From: Rich Wild [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:37 AM To: CF-Talk Subject: RE: Code Red backdoor triggered? even we're getting hammered with syn flood attacks. Rich Wild > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 15:52 > To: CF-Talk > Subject: FW: Code Red backdoor triggered? > > > It seems there may be some unusual network activity today > worth noting. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, 18 September, 2001 10:49 > To: [EMAIL PROTECTED] > Subject: RE: Code Red backdoor triggered? > > > > Heads up. Pay attention to your servers today. I just > > started detecting a *ton* of these requests. I think it's > > a follow-up worm programmed to take advantage of the > > backdoors Code Red dropped on infected computers. Maybe a > > Code Red III? > > > > -Cameron > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > dhcp181.onewebsystems.com > > (130.205.102.181) on port 80 (tcp). > > [09/18/2001 09:25:55.166 GMT-0400] GET > > /scripts/root.exe?/c+dir HTTP/1.0 > > Host: www > > Connnection: close > > After a more careful reading, I don't think this is an attack > at all. I > think it's worse than an attack. > > The GET request doesn't do anything except run the DOS dir > command using the > command processor. But, if a server responds with an HTTP 200 > status code, > this indicates that the server is vulnerable to running > cmd.exe through the > web server. > > So, my guess is that this is a vulnerability scan. Once a > list of vulnerable > servers is compiled, a real attack would take much less time > than a Code > Red-style attack, since you could build the list of > vulnerable servers into > the attack code! > > This idea has been discussed a bit in the last month or so - > it's called a > "Warhol" worm, the idea being that an attack might cover the mass of > vulnerable machines in fifteen minutes. Here's a URL to the article: > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 5&mode=nocomme nt&threshold= Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 Control your subscriptions to ACFUG lists via the ACFUG website at ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Check for *.eml files on your IIS boxes, we got them everywhere...and our virus software is not picking anything up at all... -Original Message- From: Rich Wild [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:37 AM To: CF-Talk Subject: RE: Code Red backdoor triggered? even we're getting hammered with syn flood attacks. Rich Wild > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 15:52 > To: CF-Talk > Subject: FW: Code Red backdoor triggered? > > > It seems there may be some unusual network activity today > worth noting. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, 18 September, 2001 10:49 > To: [EMAIL PROTECTED] > Subject: RE: Code Red backdoor triggered? > > > > Heads up. Pay attention to your servers today. I just > > started detecting a *ton* of these requests. I think it's > > a follow-up worm programmed to take advantage of the > > backdoors Code Red dropped on infected computers. Maybe a > > Code Red III? > > > > -Cameron > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > dhcp181.onewebsystems.com > > (130.205.102.181) on port 80 (tcp). > > [09/18/2001 09:25:55.166 GMT-0400] GET > > /scripts/root.exe?/c+dir HTTP/1.0 > > Host: www > > Connnection: close > > After a more careful reading, I don't think this is an attack > at all. I > think it's worse than an attack. > > The GET request doesn't do anything except run the DOS dir > command using the > command processor. But, if a server responds with an HTTP 200 > status code, > this indicates that the server is vulnerable to running > cmd.exe through the > web server. > > So, my guess is that this is a vulnerability scan. Once a > list of vulnerable > servers is compiled, a real attack would take much less time > than a Code > Red-style attack, since you could build the list of > vulnerable servers into > the attack code! > > This idea has been discussed a bit in the last month or so - > it's called a > "Warhol" worm, the idea being that an attack might cover the mass of > vulnerable machines in fifteen minutes. Here's a URL to the article: > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 5&mode=nocomme nt&threshold= Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 Control your subscriptions to ACFUG lists via the ACFUG website at ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
Uggh! not the code-red variations again... Can you tell us Rich if it is impacting the servers ?? Are you patched, and does this thing use something new or is it the same exploit as before... Seems like it is becoming a net-30 terror :) -paris [finding the future in the past, passing the future in the present] [connecting people, places and things] -Original Message- From: Rich Wild <[EMAIL PROTECTED]> Date: Tue, 18 Sep 2001 15:37:13 +0100 Subject: RE: Code Red backdoor triggered? > even we're getting hammered with syn flood attacks. > > Rich Wild > > > -Original Message- > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > Sent: 18 September 2001 15:52 > > To: CF-Talk > > Subject: FW: Code Red backdoor triggered? > > > > > > It seems there may be some unusual network activity today > > worth noting. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > > > > -Original Message- > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, 18 September, 2001 10:49 > > To: [EMAIL PROTECTED] > > Subject: RE: Code Red backdoor triggered? > > > > > > > Heads up. Pay attention to your servers today. I just > > > started detecting a *ton* of these requests. I think it's > > > a follow-up worm programmed to take advantage of the > > > backdoors Code Red dropped on infected computers. Maybe a > > > Code Red III? > > > > > > -Cameron > > > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > > dhcp181.onewebsystems.com > > > (130.205.102.181) on port 80 (tcp). > > > [09/18/2001 09:25:55.166 GMT-0400] GET > > > /scripts/root.exe?/c+dir HTTP/1.0 > > > Host: www > > > Connnection: close > > > > After a more careful reading, I don't think this is an attack > > at all. I > > think it's worse than an attack. > > > > The GET request doesn't do anything except run the DOS dir > > command using the > > command processor. But, if a server responds with an HTTP 200 > > status code, > > this indicates that the server is vulnerable to running > > cmd.exe through the > > web server. > > > > So, my guess is that this is a vulnerability scan. Once a > > list of vulnerable > > servers is compiled, a real attack would take much less time > > than a Code > > Red-style attack, since you could build the list of > > vulnerable servers into > > the attack code! > > > > This idea has been discussed a bit in the last month or so - > > it's called a > > "Warhol" worm, the idea being that an attack might cover the mass > of > > vulnerable machines in fifteen minutes. Here's a URL to the > article: > > > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 > 5&mode=nocomme > nt&threshold= > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > - > --- > > Control your subscriptions to ACFUG lists via the ACFUG website at > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Code Red backdoor triggered?
even we're getting hammered with syn flood attacks. Rich Wild > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: 18 September 2001 15:52 > To: CF-Talk > Subject: FW: Code Red backdoor triggered? > > > It seems there may be some unusual network activity today > worth noting. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, 18 September, 2001 10:49 > To: [EMAIL PROTECTED] > Subject: RE: Code Red backdoor triggered? > > > > Heads up. Pay attention to your servers today. I just > > started detecting a *ton* of these requests. I think it's > > a follow-up worm programmed to take advantage of the > > backdoors Code Red dropped on infected computers. Maybe a > > Code Red III? > > > > -Cameron > > > > [09/18/2001 09:25:55.136 GMT-0400] Connection: > > dhcp181.onewebsystems.com > > (130.205.102.181) on port 80 (tcp). > > [09/18/2001 09:25:55.166 GMT-0400] GET > > /scripts/root.exe?/c+dir HTTP/1.0 > > Host: www > > Connnection: close > > After a more careful reading, I don't think this is an attack > at all. I > think it's worse than an attack. > > The GET request doesn't do anything except run the DOS dir > command using the > command processor. But, if a server responds with an HTTP 200 > status code, > this indicates that the server is vulnerable to running > cmd.exe through the > web server. > > So, my guess is that this is a vulnerability scan. Once a > list of vulnerable > servers is compiled, a real attack would take much less time > than a Code > Red-style attack, since you could build the list of > vulnerable servers into > the attack code! > > This idea has been discussed a bit in the last month or so - > it's called a > "Warhol" worm, the idea being that an attack might cover the mass of > vulnerable machines in fifteen minutes. Here's a URL to the article: > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724 5&mode=nocomme nt&threshold= Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 Control your subscriptions to ACFUG lists via the ACFUG website at ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
