OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alan Mercer (Alan.MercerMARLBOROUGH-STIRLING.COM)
Date: Wed Sep 19 2001 - 11:51:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    It seems that just browsing web servers can infect your machine - regardless
    of which browser you use. We had a user browse www.tapdogs.com (don't go
    there unprotected) and infect themselves through the temporary internet
    files.

    Our first hit from this was at 11:32am on Monday so I imagine there are a
    lot of infected sites by now. Our IDS is also reporting 500+ hits per hour,
    when Code Red at its peak was 500/day...

    -----Original Message-----
    From: Buck Hicks [mailto:hicksbRITSEMA.COM]
    Sent: 19 September 2001 15:37
    To: win2ksecadviceLISTSERV.NTSECURITY.NET
    Subject: Re: Increase of scanning.

    My Win2K machine was infected last night. The odd thing is that I use
    Netscape for viewing HTML and reading mail. This is a relatively new
    install and I hadn't taken the time to install my virus scanner yet.
    Anyway, I turned on my computer yesterday and there was an icon on my
    desktop that looked like an envelope with the name of readme. I knew not
    to open it based on the warnings from these lists. As soon as I tried to
    load and run Norton I started getting warnings left and right.

    I can not figure out how this attachment was on my desktop, I use
    Windows 2000 workstation with a 14 letter password that is not a know
    word and no one else logs onto the computer but me. Any ideas?

    -----Original Message-----
    From: Chad Smykay [mailto:csmykayRACKSPACE.COM]
    Sent: Tuesday, September 18, 2001 1:54 PM
    To: win2ksecadviceLISTSERV.NTSECURITY.NET
    Subject: Increase of scanning.

    Apparently there is a new worm called "nimda". Here is some REALLY
    general
    info:

    http://www.f-secure.com/v-descs/nimda.shtml

    Other links in regards to this:

    http://www.cert.org/current/current_activity.html#port80

    http://www.cert.org/advisories/CA-2001-11.html

    However I wanted to review what I have found so far. From what I can
    tell
    there is an "mmc.exe" process or processes that is being run when there
    is
    NO other users logged in and no such process being spawned.

    Also it appears to be doing NetBIOS scans at the same time it is doing
    these
    IP range scans. By monitoring a current server that is running this
    exploit. I see about 20-30 "net.exe and "net1.exe" being spawned. Most
    likely they are also trying to do NetBIOS scans either on the current
    network they are on or other IP Ranges.

    The only thing that we can thing to do at this time is to block this
    traffic
    VIA IDS.

    It also appears that they are attempting to send this new "readme.exe"
    via
    IIS SMTP Server, but we can not confirm that right now. Anyone?

    Here is a snippet from the log files that if you probably check right
    now on
    your server you will see:

    <-- Begin Logfile snip
    [Tue Sep 18 08:13:17 2001] [error] [client 195.124.124.237] File does
    not
    exist: /usr/local/etc/httpd/sites/default.ida
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/root.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/MSADC/root.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/c/winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/d/winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..%5c../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist:
    /usr/local/etc/httpd/sites/_vti_bin/..%5c../..%5c../..%5c../winnt/system
    32/c
    md.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist:
    /usr/local/etc/httpd/sites/_mem_bin/..%5c../..%5c../..%5c../winnt/system
    32/c
    md.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist:
    /usr/local/etc/httpd/sites/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á
    ../
    winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..Á../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..À¯../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..Áoe../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..%5c../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..%2f../winnt/system32/cmd.exe
    <-- End logfile snip

    Please note that the above is from a Linux Web server but you will see
    the
    same across the board.

    Here is another snip for a Windows NT server logfile

    <-- Begin log snip
    4:48:02 209.61.190.233 GET /scripts/root.exe 403
    14:48:02 209.61.190.233 GET /MSADC/root.exe 200
    14:48:31 209.61.187.113 GET /scripts/root.exe 403
    14:48:31 209.61.187.113 GET /MSADC/root.exe 200
    14:48:31 209.61.187.113 GET /MSADC/root.exe 502
    14:48:31 209.61.187.113 GET /MSADC/Admin.dll 500
    14:48:31 209.61.187.113 GET /c/winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET /d/winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET
    /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET
    /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET
    /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
    404
    14:48:31 209.61.187.113 GET /scripts/..Á../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/../../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..\../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..S5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..S5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..%2f../winnt/system32/cmd.exe 403
    <-- End log snip

    If you have ANY addtional info please share with everyone.

    Kind Regards,

    Chad Smykay
    Rackspace Managed Hosting

    ______________________________________
    Chad Smykay
    Sys Admin Complex Division
    Rackspace Managed Hosting
    800-961-4454 ext. 1249.
    ______________________________________

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

    ______________________________________________________________

    CONFIDENTIALITY NOTICE
    This communication and the information it contains is intended for the person or organisation to whom it is addressed. Its contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient, please contact us immediately.

    The contents of any attachments in this e-mail may contain software viruses, which could damage your own computer system. While Marlborough Stirling has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checking procedure before opening any attachment.

    Marlborough Stirling plc, Registered No. 3008820,
    Allen Jones House, Jessop Avenue, Cheltenham, Gloucestershire, GL50 3SH
    Tel: 01242 547000 Fax: 01242 547100
    http://www.marlborough-stirling.com

    The following companies are subsidiaries of Marlborough Stirling plc and are registered in England and Wales at the above address:
    Marlborough Stirling PLC, Registered No. 3008820
    The Marlborough Stirling Group PLC, Registered No. 1855353
    Marlborough Stirling Administration Limited, Registered No. 2341195
    Metgem Limited, Registered No. 02341195

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net