WORM FORENSICS?
From: Technical Support (bob@dexis.net)Date: 09/18/01
- Previous message: McCammon, Keith: "RE: New worm? 'readme.eml'"
- Next in thread: Gabriel Wachman: "Re: WORM FORENSICS?"
- Reply: Gabriel Wachman: "Re: WORM FORENSICS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <5.1.0.14.2.20010918132314.02c0dea0@pop3.norton.antivirus> Date: Tue, 18 Sep 2001 13:24:32 -0700 To: Jensenne Roculan <jroculan@securityfocus.com>, <incidents@securityfocus.com> From: Technical Support <bob@dexis.net> Subject: WORM FORENSICS?
I have just investigated a server that attacked me.
Here is what I found:
It appears that the servers are keeping a log of the results.
My server logs show that an attempt was made:
[18/Sep/2001:12:37:43 -0700] "from 207.104.210.242" "GET <clip> HTTP/1.0"
404 56 "- -> /scripts/<clip>/system32/cmd.exe" "User-Agent=-" "port: 80
Since I saw that I was attacked at 12:37, I went to the attacker site and
listed the directory and discovered what appears to be a log of all the
attempts.
As can be seen, the log 09/18/01 12:37p 0 TFTP9513
has a zero byte length which seems to indicate that it failed, since I am
running Apache.
If all those other logs are 57,344 each, then there appears to be many more
MSII servers out there than I expected and these logs appear to have
information which appears to be success data.
I feel that any server attacking another is fair game to publish data about it.
Bob
http://207.104.25.194/scripts/root.exe?/c+dir%20"c:\InetPub\scripts"
The directory listing is included in the attached ZIP file
- application/zip attachment: 207-104-25-194.zip
- Previous message: McCammon, Keith: "RE: New worm? 'readme.eml'"
- Next in thread: Gabriel Wachman: "Re: WORM FORENSICS?"
- Reply: Gabriel Wachman: "Re: WORM FORENSICS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
