RE: Code Red and other anomalous activity from 1433

From: lsi (stuart@cyberdelix.net)
Date: 07/12/02

• Previous message: Pavel Kankovsky: "Conclusion: TCP port 139 probes"
• In reply to: Michael Fredericks: "RE: Code Red and other anomalous activity from 1433"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "lsi" <stuart@cyberdelix.net>
To: incidents@securityfocus.com
Date: Fri, 12 Jul 2002 11:29:14 +0100

I have noticed more attempts than usual to establish a netbios connection to my system. Also, I was on a
Chinese webserver the other day - www.suoluo.com - and I found some unusual stuff. It appeared the
server had been cracked and was being used to scan other systems. I downloaded the entire "worm"
directory and have been perusing it slowly since then. A directory listing of the worm is below. A ready-
to-install version of this "autorooter" - FluXay 4 - is at http://www.netxeyes.org/

The program includes over 100 attack scripts for various operating systems and servers, including Sun,
Linux, and IIS, formmail, various shopping carts, etc. It also mentions SQL, IPC, and password cracking.

Who knows whether this tool has anything to do with an increase in any kind of anomalous activity - but
this tool is out there, it does look pretty nasty, and it was being used, although apparently this was in
February, judging from timestamps.

Stuart

Directory of G:\down\hack\_worm

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
exploit <DIR> 08/07/02 16:00 Exploit
help <DIR> 08/07/02 16:00 Help
plugins <DIR> 08/07/02 16:00 Plugins
reports <DIR> 08/07/02 16:00 Reports
sqlrcmd <DIR> 08/07/02 16:00 SqlRcmd
tools <DIR> 08/07/02 16:00 Tools
fluxay4 exe 2,056,192 06/07/02 10:37 fluxay4.exe
1 flx 120 26/02/02 5:06 1.Flx
202982~1 ftp 42 26/02/02 5:06 202.98.221.5.ftp
1 hif 458 26/02/02 5:06 1.HIF
brute dic 92 26/02/02 5:06 brute.dic
cgibugs dat 20,571 26/02/02 5:06 cgibugs.dat
brute ult 86 26/02/02 5:06 brute.ult
cracked pwd 100 26/02/02 5:06 Cracked.pwd
dialup ini 3 26/02/02 5:06 Dialup.ini
chinese dic 36,753 26/02/02 5:06 chinese.dic
dict his 293 26/02/02 5:07 dict.his
exploi~1 rul 825 26/02/02 5:07 exploit.rule
exploi~2 rul 1,557 26/02/02 5:07 exploit_cn.rule
exploi~3 rul 1,636 26/02/02 5:07 exploit_en.rule
fshttp exe 192,512 26/02/02 5:07 FsHttp.exe
fshttp~1 htm 18,330 26/02/02 5:07 fshttp.html
ftp hlt 15 26/02/02 5:07 FTP.hlt
http hlt 45 26/02/02 5:07 HTTP.hlt
http1 gif 41,270 26/02/02 5:07 http1.gif
http2 gif 12,975 26/02/02 5:07 http2.gif
http3 gif 9,354 26/02/02 5:07 http3.gif
httpiis hlt 737 26/02/02 5:07 HttpIIS.Hlt
ipcdet~1 inf 163 26/02/02 5:07 IpcDetail.Inf
ipchost hlt 1,971 26/02/02 5:07 IpcHost.Hlt
ipclist ini 75 26/02/02 5:07 IpcList.INI
ipcsin~1 ini 101 26/02/02 5:07 ipcsingle.ini
last flx 1,740 26/02/02 5:08 Last.Flx
last hif 0 26/02/02 5:08 Last.HIF
last pwd 0 26/02/02 5:08 Last.pwd
libmysql dll 217,088 26/02/02 5:08 libmySQL.dll
mfc42 dll 995,383 26/02/02 5:08 MFC42.DLL
netxey~1 jpg 37,341 26/02/02 5:08 netxeyeslogo.jpg
msvcp60 dll 401,462 26/02/02 5:08 MSVCP60.DLL
ntcmd exe 20,480 26/02/02 5:08 NTCmd.exe
name dic 1,426 26/02/02 5:08 Name.dic
normal dic 9,247 26/02/02 5:08 Normal.dic
ntipc hlt 371 26/02/02 5:08 NTIPC.hlt
ntlmauth dll 20,480 26/02/02 5:08 NTLMAuth.dll
password dic 14,898 26/02/02 5:08 password.Dic
pipecmd exe 40,960 26/02/02 5:08 PipeCmd.exe
pop hlt 29 26/02/02 5:08 POP.hlt
pophost hlt 125 26/02/02 5:08 PopHost.Hlt
pubauth key 44,187 26/02/02 5:08 PubAuth.Key
report~1 htm 0 26/02/02 5:08 Report.html
restore ini 56 26/02/02 5:08 restore.ini
rhv dll 45,056 26/02/02 5:08 RHV.dll
sample1 gif 7,337 26/02/02 5:08 sample1.gif
sample2 gif 7,563 26/02/02 5:08 sample2.gif
sample3 gif 3,310 26/02/02 5:08 sample3.gif
sample4 gif 10,484 26/02/02 5:08 sample4.gif
sample5 gif 9,596 26/02/02 5:08 sample5.gif
sample6 gif 8,524 26/02/02 5:08 sample6.gif
sample7 gif 3,178 26/02/02 5:08 sample7.gif
search his 30 26/02/02 5:08 search.his
server dll 531 26/02/02 5:08 server.dll
single dic 8 26/02/02 5:08 single.dic
single ini 8 26/02/02 5:08 Single.INI
sqlhost hlt 665 26/02/02 5:08 SqlHost.Hlt
sys_mo~1 dic 2,232 26/02/02 5:08 Sys_Month_Date.Dic
sys_year dic 300 26/02/02 5:08 Sys_Year.Dic
uninstal exe 19,483 26/02/02 5:08 uninstal.exe
uninstal ini 16,796 26/02/02 5:08 uninstal.ini
unixcgi dat 6,328 26/02/02 5:08 unixcgi.dat
user his 33 26/02/02 5:08 user.his
words dic 91,453 26/02/02 5:09 Words.dic
        65 file(s) 4,434,464 bytes

Directory of G:\down\hack\_worm\Exploit

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
local <DIR> 08/07/02 16:00 local
7350wu~1 gz 16,229 26/02/02 5:04 7350wu-v5.tar.gz
admmou~1 tgz 7,431 26/02/02 5:04 ADMmounted.tgz
amd c 4,751 26/02/02 5:04 amd.c
linx86~1 c 9,624 26/02/02 5:04 linx86_bind.c
lsub c 5,588 26/02/02 5:04 lsub.c
rpcaut~1 c 3,294 26/02/02 5:04 rpc.autofsd.c
rpc_cmsd c 12,455 26/02/02 5:04 rpc_cmsd.c
sadmin~1 c 17,254 26/02/02 5:04 sadmindex-sparc.c
seclpd c 11,791 26/02/02 5:04 seclpd.c
snmpxd~1 c 8,279 26/02/02 5:04 snmpxdmid.c
statdx c 19,729 26/02/02 5:04 statdx.c
ttdbse~1 c 9,017 26/02/02 5:04 ttdbserver.c
wuftp2~1 gz 3,861 26/02/02 5:04 wuftp25.tar.gz
        13 file(s) 129,303 bytes

Directory of G:\down\hack\_worm\Exploit\local

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
sunspa~1 <DIR> 08/07/02 16:00 Sun Sparc
su c 12,554 26/02/02 5:04 su.c
         1 file(s) 12,554 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
5 6 <DIR> 08/07/02 16:00 5.6
5 7 <DIR> 08/07/02 16:00 5.7
5 8 <DIR> 08/07/02 16:00 5.8
         0 file(s) 0 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.6

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
lpset <DIR> 08/07/02 16:00 lpset
lpstat <DIR> 08/07/02 16:00 lpstat
netpr <DIR> 08/07/02 16:00 netpr
         0 file(s) 0 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.6\lpset

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
default htm 26,148 26/02/02 5:04 default.htm
         1 file(s) 26,148 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.6\lpstat

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
default htm 27,868 26/02/02 5:04 default.htm
         1 file(s) 27,868 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.6\netpr

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
default htm 26,424 26/02/02 5:04 default.htm
         1 file(s) 26,424 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.7

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
lpset <DIR> 08/07/02 16:00 lpset
lpstat <DIR> 08/07/02 16:00 lpstat
netpr <DIR> 08/07/02 16:00 netpr
xsun <DIR> 08/07/02 16:00 xsun
         0 file(s) 0 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.7\lpset

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
default htm 26,148 26/02/02 5:04 default.htm
         1 file(s) 26,148 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.7\lpstat

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
default htm 27,868 26/02/02 5:04 default.htm
         1 file(s) 27,868 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.7\netpr

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
default htm 26,424 26/02/02 5:04 default.htm
         1 file(s) 26,424 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.7\xsun

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
default htm 26,048 26/02/02 5:04 default.htm
         1 file(s) 26,048 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.8

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
kcssun <DIR> 08/07/02 16:00 kcssun
         0 file(s) 0 bytes

Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.8\kcssun

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
default htm 26,508 26/02/02 5:04 default.htm
         1 file(s) 26,508 bytes

Directory of G:\down\hack\_worm\Help

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
1 27 <DIR> 08/07/02 16:00 1.27
image <DIR> 08/07/02 16:00 image
faq mht 20,731 26/02/02 5:05 faq.mht
fluxay~1 htm 24,924 26/02/02 5:05 fluxay4.html
form mht 205,476 26/02/02 5:05 form.mht
http mht 476,093 26/02/02 5:06 http.mht
index~1 htm 2,405 26/02/02 5:06 index.html
ipc mht 165,112 26/02/02 5:06 ipc.mht
remote mht 93,332 26/02/02 5:06 remote.mht
plugin~1 htm 12,539 26/02/02 5:06 plugin.html
sql mht 181,576 26/02/02 5:06 sql.mht
result~1 htm 39,513 26/02/02 5:06 result.html
        10 file(s) 1,221,701 bytes

Directory of G:\down\hack\_worm\Help\1.27

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
additi~1 htm 4,712 26/02/02 5:04 addition_filelist.html
anfade~1 cla 16,397 26/02/02 5:04 AnFade.class
anfade jar 11,065 26/02/02 5:04 AnFade.jar
dictcomb gif 4,590 26/02/02 5:04 DICTCOMB.GIF
dictpr~1 gif 8,310 26/02/02 5:04 dictproper.gif
dictsp~1 gif 4,373 26/02/02 5:04 dictsplit.gif
engdict gif 8,512 26/02/02 5:04 ENGDICT.GIF
engdic~1 gif 3,465 26/02/02 5:04 engdictad.gif
flux gif 40,417 26/02/02 5:04 FLUX.GIF
flux1 gif 26,519 26/02/02 5:04 FLUX1.GIF
flux2 gif 40,417 26/02/02 5:04 FLUX2.GIF
flux3 gif 47,837 26/02/02 5:04 FLUX3.GIF
flux4 gif 60,885 26/02/02 5:04 FLUX4.GIF
flux5 gif 45,600 26/02/02 5:04 FLUX5.GIF
fluxst~1 gif 50,671 26/02/02 5:04 fluxstartup.gif
functi~1 gif 5,248 26/02/02 5:04 function_attackoption.gif
functi~2 gif 1,930 26/02/02 5:04 function_connectoption.gif
functi~3 gif 22,891 26/02/02 5:04 function_dictIII_1.gif
functi~4 gif 21,942 26/02/02 5:04 function_dictIII_2.gif
functi~5 gif 22,408 26/02/02 5:04 function_dictIII_3.gif
functi~6 gif 7,823 26/02/02 5:04 function_dictIII_4.gif
functi~7 gif 21,021 26/02/02 5:04 function_dictIII_5.gif
functi~8 gif 3,389 26/02/02 5:04 function_dictoption.gif
functi~9 gif 2,423 26/02/02 5:04 function_otheroption.gif
funct~10 gif 3,340 26/02/02 5:04 function_singleoption.gif
funct~11 gif 5,557 26/02/02 5:04 function_sysoption.gif
index~1 htm 3,580 26/02/02 5:04 index.html
intro gif 50,426 26/02/02 5:04 INTRO.GIF
mainback jpg 5,096 26/02/02 5:05 MAINBACK.JPG
menu_a~1 gif 2,816 26/02/02 5:05 menu_attack.gif
menu_e~1 gif 4,462 26/02/02 5:05 menu_edit.gif
menu_f~1 gif 2,485 26/02/02 5:05 menu_file.gif
menu_h~1 gif 1,236 26/02/02 5:05 menu_help.gif
menu_o~1 gif 1,687 26/02/02 5:05 menu_option.gif
menu_t~1 gif 4,313 26/02/02 5:05 menu_tool.gif
msdos gif 8,606 26/02/02 5:05 MSDOS.GIF
part_1~1 htm 2,983 26/02/02 5:05 part_1.html
part_2~1 htm 19,152 26/02/02 5:05 part_2.html
part_3~1 htm 1,989 26/02/02 5:05 part_3.html
part_3~2 htm 1,138 26/02/02 5:05 part_3_1.html
part_3~3 htm 4,105 26/02/02 5:05 part_3_2.html
part_3~4 htm 1,295 26/02/02 5:05 part_3_2_1.html
part_3~5 htm 7,111 26/02/02 5:05 part_3_3.html
part_3~6 htm 8,313 26/02/02 5:05 part_3_5.html
part_3~7 htm 18,577 26/02/02 5:05 part_3_4.html
part_3~8 htm 14,948 26/02/02 5:05 part_3_6.html
part_3~9 htm 2,293 26/02/02 5:05 part_3_7.html
part_5~1 htm 1,007 26/02/02 5:05 part_5.html
part_4~1 htm 3,092 26/02/02 5:05 part_4.html
planedit gif 4,753 26/02/02 5:05 Planedit.gif
produc~1 gif 62,290 26/02/02 5:05 productsn.gif
sharem~1 gif 70,662 26/02/02 5:05 sharemail.gif
        52 file(s) 800,157 bytes

Directory of G:\down\hack\_worm\Help\image

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
netxey~1 jpg 37,341 26/02/02 5:05 netxeyeslogo.jpg
scanbase gif 37,323 26/02/02 5:05 scanbase.gif
scanport gif 32,356 26/02/02 5:05 scanport.gif
scanpop gif 31,557 26/02/02 5:05 scanpop.gif
scanftp gif 31,790 26/02/02 5:05 scanftp.gif
scansmtp gif 31,512 26/02/02 5:05 scansmtp.gif
scanimap gif 31,629 26/02/02 5:05 scanimap.gif
scante~1 gif 31,049 26/02/02 5:05 scantelnet.gif
scancgi gif 32,358 26/02/02 5:05 scancgi.gif
scancg~1 gif 12,953 26/02/02 5:05 scancgirule.gif
scansql gif 31,692 26/02/02 5:05 scansql.gif
scanipc gif 33,061 26/02/02 5:05 scanipc.gif
scaniis gif 32,478 26/02/02 5:05 scaniis.gif
scanfi~1 gif 31,677 26/02/02 5:05 scanfinger.gif
scanrpc gif 31,079 26/02/02 5:05 scanrpc.gif
scanmisc gif 31,560 26/02/02 5:05 scanmisc.gif
scanpl~1 gif 12,395 26/02/02 5:05 scanplugin.gif
scanop~1 gif 35,264 26/02/02 5:05 scanoption.gif
tcpopt~1 gif 2,344 26/02/02 5:05 tcpoption.gif
result~1 gif 4,985 26/02/02 5:05 result_ipc.gif
result~2 gif 7,302 26/02/02 5:05 result_ipc_ntcmd.gif
result~3 gif 4,829 26/02/02 5:05 result_sql.gif
result~4 gif 3,559 26/02/02 5:05 result_iis_remoteexecute.gif
result~5 gif 8,183 26/02/02 5:05 result_sql_sqlrcmd.gif
result~6 gif 3,050 26/02/02 5:05 result_iis_remoteexecutetyp.gif
result~7 gif 3,946 26/02/02 5:05 result_pca_connect.gif
result~8 gif 9,237 26/02/02 5:05 result_iis_remoteexecutewin.gif
result~9 gif 4,967 26/02/02 5:05 result_pca_ftp.gif
resul~10 gif 2,246 26/02/02 5:05 result_pca_crack.gif
resul~11 gif 3,559 26/02/02 5:05 result_fpg_ipc.gif
resul~12 gif 1,836 26/02/02 5:05 result_fpg_add.gif
resul~13 gif 6,806 26/02/02 5:05 result_fpg_import.gif
resul~14 gif 3,401 26/02/02 5:05 result_fpg_selectuser.gif
resul~15 gif 5,000 26/02/02 5:05 result_ipc_planter.gif
resul~16 gif 9,419 26/02/02 5:05 result_mysql.gif
resul~17 gif 10,862 26/02/02 5:05 result_sun_finger.gif
resul~18 gif 4,369 26/02/02 5:05 result_sun_finger_crack.gif
        37 file(s) 648,974 bytes

Directory of G:\down\hack\_worm\Plugins

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
nullpr~1 flu 264 26/02/02 5:06 nullprinter.flux
         1 file(s) 264 bytes

Directory of G:\down\hack\_worm\Reports

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
202102~1 htm 887 26/02/02 5:06 202.102.108.111-202.102.108.111.html
202981~1 htm 55,758 26/02/02 5:06 202.98.196.1-202.98.198.255.html
202981~2 htm 4,645 26/02/02 5:06 202.98.197.146-202.98.197.146.html
202982~1 htm 820 26/02/02 5:06 202.98.216.9-202.98.216.9.html
202996~1 htm 2,232 26/02/02 5:06 202.99.67.100-202.99.67.100.html
netxey~1 jpg 37,341 26/02/02 5:06 netxeyeslogo.jpg
         6 file(s) 101,683 bytes

Directory of G:\down\hack\_worm\SqlRcmd

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
sqlrcm~1 <DIR> 08/07/02 16:00 SqlRCmd_Express
sqlrcm~2 <DIR> 08/07/02 16:00 SqlRCmd_Normal
         0 file(s) 0 bytes

Directory of G:\down\hack\_worm\SqlRcmd\SqlRCmd_Express

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
         0 file(s) 0 bytes

Directory of G:\down\hack\_worm\SqlRcmd\SqlRCmd_Normal

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
         0 file(s) 0 bytes

Directory of G:\down\hack\_worm\Tools

. <DIR> 08/07/02 16:00 .
.. <DIR> 08/07/02 16:00 ..
netsvc exe 78,640 26/02/02 5:06 NETSVC.EXE
ntlm exe 110,592 26/02/02 5:06 NTLM.EXE
pskill exe 77,824 26/02/02 5:06 PSKILL.EXE
runasex exe 36,864 26/02/02 5:06 RunAsEx.exe
srv exe 59,392 26/02/02 5:06 SRV.EXE
         5 file(s) 363,312 bytes

Total files listed:
       198 file(s) 7,925,848 bytes
        71 dir(s) 1,061.63 MB free

On 11 Jul 2002 at 14:53, Michael Fredericks wrote:

From: "Michael Fredericks" <mfredericks@infosol.com>
To: "'Graham, Randy (RAW) '" <RAW@y12.doe.gov>,
          "'Curley Mr Eric P'" <CurleyEP@NOC.USMC.MIL>,
<incidents@securityfocus.com>
Subject: RE: Code Red and other anomalous activity from 1433
Date sent: Thu, 11 Jul 2002 14:53:08 -0700

> Hi All,
> I've been getting slammed with Subseven attempts in the past 24 hours.
> Again they are almost all from Asia (APNIC) and most of the ones I've
> traced so far have been in Korea. Since it is Subseven, I wouldn't
> imagine they'd be spoofed so I think it is safe to say there is
> something weird going on in Asia.
>
> Michael Fredericks
> Manager - Networks and Telecommunications
> InfoSol, Inc.
> mfredericks@infosol.com
> http://www.infosol.com/
>
>
> -----Original Message-----
> From: Graham, Randy (RAW) [mailto:RAW@y12.doe.gov]
> Sent: Thursday, July 11, 2002 12:56 PM
> To: Curley Mr Eric P; incidents@securityfocus.com
> Subject: RE: Code Red and other anomalous activity from 1433
>
> Seeing about 24 hours worth of traffic here. Started a little before
> 8:00
> yesterday morning. Last we saw of it was around 6:30 today (at least,
> the
> last my internal snort sensor picked up - not sure if the firewall guys
> have
> just blocked it or if it has stopped).
>
> Randy Graham
> --
> Recursion (ri-'k&r-zh&n) [noun] - See: Recursion
>
>
> > -----Original Message-----
> > From: Curley Mr Eric P [mailto:CurleyEP@NOC.USMC.MIL]
> > Sent: Thursday, July 11, 2002 10:26 AM
> > To: incidents@securityfocus.com
> > Subject: Code Red and other anomalous activity from 1433
> >
> >
> > Has anybody else been getting slammed by Code Red activity
> > today? It seems
> > to be coming from mostly Asian blocks but there are some other blocks
> > thrown in there as well. Then again it could all be spoofed
> > and could be
> > coming from the 12 year old down the street..Thrown into all
> > this traffic
> > I'm also seeing a lot of Dest ports with 1433; Possibly that
> > SQL stuff that
> > happened last month..anywho, just wanted to know if anybody else was
> > experiencing this.
> >
> > Cheers,
> > Eric
> >
> > -----Original Message-----
> > From: H C [mailto:keydet89@yahoo.com]
> > Sent: Wednesday, July 10, 2002 1:40 PM
> > To: Pavel Kankovsky; incidents@securityfocus.com
> > Subject: RE: TCP port 139 probes
> >
> >
> >
> > > Having done a superficial examination
> > > of system directories on those machines (they had a
> > > publicly accesible
> > > share, ergo I was invited, wasn't I? <g>)
> >
> > Uh...no, you weren't. Just b/c a share is publicly
> > accessible, does NOT, in fact, mean that you were
> > invited. This is simply the age-old rhetoric used to
> > justify malicious actions. While many admins have
> > said that they would be very happy to be told by an
> > outsider that they had a vulnerable machine, to date
> > not a single one has said that they'd be happy to have
> > that person access the machine via some vulnerability
> > and take files.
> >
> > > I downloaded 3 of them and they all seem to be
> > > compressed executables
> >
> > As with your previous posts, this one is incredibly
> > vague and lacking in any useful information.
> > Compresses with what? PKZip? UPX? What version?
> > Did you uncompress the files?
> >
> > > having a common prefix,
> >
> > If you're referring to the first couple of bytes of
> > the file, "MZ" is the common prefix for executables on
> > Windows systems.
> >
> > > and there are some fragments
> > > of strings ("rom",
> > > "y smt", ") with", "ESM", "Mime-", "-Typ", "quit"
> > > etc) in that common
> > > prefix suggesting there is some SMTP implementation
> > > there--presumably
> > > some kind of malware able to spread via email.
> >
> > Did you run strings on the compressed or uncompressed
> > file?
> >
> > > But I did not find anything similar on other
> > > machines I examined.
> >
> > Interesting how you've posted to a public list,
> > basically stating that while you refuse to do any
> > testing on your end to verify that the activity you're
> > seeing is a worm (in your own words to me via email,
> > you're "too lazy"), you're more than willing to access
> > vulnerable systems and take files...

-- 
Stuart Udall
stuart@cyberdelix.net - http://www.cyberdelix.net/
..revolution through evolution
want to make some cash? check out http://cyberdelix.net/affiliates.htm
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Pavel Kankovsky: "Conclusion: TCP port 139 probes"
• In reply to: Michael Fredericks: "RE: Code Red and other anomalous activity from 1433"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-07