OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jeff Jennings (jjenningszoominternet.net)
Date: Fri Feb 22 2002 - 15:48:32 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This week's grand prize goes to 63.204.135.168
    For allowing PUT rights on Port 80 (I wonder how many hackers are
    lurking here).
    Being vulnerable on Port 25 and many other ports...
    Anyone need an open relay?

    No wonder the guy is spewing Code Reds...
    We just ran a port scan and tested the guy.
    Some guy running IIS over a DSL connection with a site that is listed as
    "Under Construction".
    Just another unsuspecting guy who installed IIS on his home computer and
    has no idea of how to protect it.

    This message comes just in time as it's 4:45 pm here and I really need a
    beer!

    - jeff

    -----Original Message-----
    From: snort-users-adminlists.sourceforge.net
    [mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Skip
    Carter
    Sent: Friday, February 22, 2002 4:14 PM
    To: Scott Taylor
    Cc: snort-userslists.sourceforge.net
    Subject: Re: [Snort-users] attack

    > So what's the best thing to do with this type of attack? Turn'em in?
    > To who? Is there a way I can let them know that I know what their
    > doing? Any ideas?
     

    > [**] [1:1256:2] WEB-IIS CodeRed v2 root.exe access [**]
    > [Classification: Web Application Attack] [Priority: 1]
    > 02/22-10:13:19.830419 63.204.135.168:2122 -> 63.169.127.223:80
    > TCP TTL:119 TOS:0x0 ID:56151 IpLen:20 DgmLen:112 DF
    > ***AP*** Seq: 0x79EC6CC Ack: 0x21AE2090 Win: 0x4248 TcpLen: 20

      Unfortunately, there isn't a lot you can do about these attacks other
    than
      defend yourself against them. I have gone as far as firewalling a few
    of
      the very persistent servers.

      I have tracked down sysadmins of the offending servers in some special
    cases
      (hospitals, insurance companies, financial institutions, and
    government
    agencies).
      The nearly universal response was "I didn't know we were running a web
    server
      on that machine!" (a consequence of MS efforts to brag that they have
    more
      deployed IIS servers than Apache, but turning on IIS by default). I
    suspect
      that most admins that are actually purposefully using IIS have long
    since
    patched
      their servers. Most of these admins of these infected systems have no
    idea
    what
      to do about fixing a problem that they didn't even know that they had,
    so if
    you
      do contact them, they would probably appreciate info on how to fix
    their
    servers.
      They clearly aren't running any type of IDS or they would have
    discovered
    the unusual
      outbound traffic themselves. 

    -- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skiptaygeta.com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users