RE: Code Red and other anomalous activity from 1433
From: Graham, Randy (RAW) (RAW@y12.doe.gov)Date: 07/11/02
- Previous message: Bubsy: "Ideas? Port 21 SYNs, slow"
- Maybe in reply to: Curley Mr Eric P: "Code Red and other anomalous activity from 1433"
- Next in thread: Michael Fredericks: "RE: Code Red and other anomalous activity from 1433"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Graham, Randy (RAW) " <RAW@y12.doe.gov> To: Curley Mr Eric P <CurleyEP@NOC.USMC.MIL>, incidents@securityfocus.com Date: Thu, 11 Jul 2002 15:56:09 -0400
Seeing about 24 hours worth of traffic here. Started a little before 8:00
yesterday morning. Last we saw of it was around 6:30 today (at least, the
last my internal snort sensor picked up - not sure if the firewall guys have
just blocked it or if it has stopped).
Randy Graham
-- Recursion (ri-'k&r-zh&n) [noun] - See: Recursion> -----Original Message----- > From: Curley Mr Eric P [mailto:CurleyEP@NOC.USMC.MIL] > Sent: Thursday, July 11, 2002 10:26 AM > To: incidents@securityfocus.com > Subject: Code Red and other anomalous activity from 1433 > > > Has anybody else been getting slammed by Code Red activity > today? It seems > to be coming from mostly Asian blocks but there are some other blocks > thrown in there as well. Then again it could all be spoofed > and could be > coming from the 12 year old down the street..Thrown into all > this traffic > I'm also seeing a lot of Dest ports with 1433; Possibly that > SQL stuff that > happened last month..anywho, just wanted to know if anybody else was > experiencing this. > > Cheers, > Eric > > -----Original Message----- > From: H C [mailto:keydet89@yahoo.com] > Sent: Wednesday, July 10, 2002 1:40 PM > To: Pavel Kankovsky; incidents@securityfocus.com > Subject: RE: TCP port 139 probes > > > > > Having done a superficial examination > > of system directories on those machines (they had a > > publicly accesible > > share, ergo I was invited, wasn't I? <g>) > > Uh...no, you weren't. Just b/c a share is publicly > accessible, does NOT, in fact, mean that you were > invited. This is simply the age-old rhetoric used to > justify malicious actions. While many admins have > said that they would be very happy to be told by an > outsider that they had a vulnerable machine, to date > not a single one has said that they'd be happy to have > that person access the machine via some vulnerability > and take files. > > > I downloaded 3 of them and they all seem to be > > compressed executables > > As with your previous posts, this one is incredibly > vague and lacking in any useful information. > Compresses with what? PKZip? UPX? What version? > Did you uncompress the files? > > > having a common prefix, > > If you're referring to the first couple of bytes of > the file, "MZ" is the common prefix for executables on > Windows systems. > > > and there are some fragments > > of strings ("rom", > > "y smt", ") with", "ESM", "Mime-", "-Typ", "quit" > > etc) in that common > > prefix suggesting there is some SMTP implementation > > there--presumably > > some kind of malware able to spread via email. > > Did you run strings on the compressed or uncompressed > file? > > > But I did not find anything similar on other > > machines I examined. > > Interesting how you've posted to a public list, > basically stating that while you refuse to do any > testing on your end to verify that the activity you're > seeing is a worm (in your own words to me via email, > you're "too lazy"), you're more than willing to access > vulnerable systems and take files... > > > __________________________________________________ > Do You Yahoo!? > Sign up for SBC Yahoo! Dial - First Month Free > http://sbc.yahoo.com > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com >
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Bubsy: "Ideas? Port 21 SYNs, slow"
- Maybe in reply to: Curley Mr Eric P: "Code Red and other anomalous activity from 1433"
- Next in thread: Michael Fredericks: "RE: Code Red and other anomalous activity from 1433"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
