new codered worm?
From: ^^ sang sang (gauri2007@hotmail.com)Date: 08/30/01
- Previous message: Nick FitzGerald: "Re: CodeRed Snort Rules"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "^^ sang sang" <gauri2007@hotmail.com> To: incidents@securityfocus.com Subject: new codered worm? Date: Thu, 30 Aug 2001 02:12:43 +0000 Message-ID: <F136j9n1xxWn9R6mJB50000152b@hotmail.com>
uI got code red worm, which seems like new mutation. I am not sure whether
it is new one. So please explain about that if you have any idea.
I found logs like below
1. traced for ip address
2. checked root.exe, which used to back door in previous code red worm
3. /x.ida VVVVVVVVVVVVV as new attack pattern
4. This server is one that was contagious in previous code red attack, and
it was already shut down. Accordingly, the attack was failed (Normally, IIS
may stop when ida buffer overflow is failed)
Also, it has log on print buffer overflow and it seems like being included
in an automated script
This is log
2001-08-27 01:41:39 210.92.26.120 – X.X.X.X GET /scripts/root.exe
/c+dir+c:\ 404 -
2001-08-27 01:41:39 210.92.26.120 – X.X.X>.X 80 GET
/c/winnt/system32/cmd.exe /c+dir+c:\ 404 -
2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET
/d/winnt/system32/cmd.exe /c+dir+c:\ 404 -
2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET /msadc/root.exe
/c+dir+c:\ 404 -
2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET
/c/inetpub/scripts/root.exe /c+dir+c:\ 404 -
2001-08-27 01:41:39 210.92.26.120 – X.X.X.X80 GET
/d/inetpub/scripts/cmd.exe /c+dir+c:\ 404 -
2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET /x.ida
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV=X
200 -
_________________________________________________________________
MSN Explorer°¡ ÀÖÀ¸¸é Hotmail »ç¿ëÀÌ ÈξÀ Æí¸®ÇØ Áý´Ï´Ù. Áö±Ý
http://explorer.msn.co.kr/ ¿¡¼ ¹«·á·Î ´Ù¿î·ÎµåÇϼ¼¿ä.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Nick FitzGerald: "Re: CodeRed Snort Rules"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
