Are you sure about that "regardless of version used" thing ?

> -----Original Message-----
> From: Alan Mercer [mailto:Alan.MercerMARLBOROUGH-STIRLING.COM]
> Sent: Wednesday, September 19, 2001 7:51 PM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: Re: Increase of scanning.
>
>
> It seems that just browsing web servers can infect your
> machine - regardless
> of which browser you use. We had a user browse
> www.tapdogs.com (don't go
> there unprotected) and infect themselves through the
> temporary internet
> files.
>
> Our first hit from this was at 11:32am on Monday so I imagine
> there are a
> lot of infected sites by now. Our IDS is also reporting 500+
> hits per hour,
> when Code Red at its peak was 500/day...
>
> -----Original Message-----
> From: Buck Hicks [mailto:hicksbRITSEMA.COM]
> Sent: 19 September 2001 15:37
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: Re: Increase of scanning.
>
>
> My Win2K machine was infected last night. The odd thing is that I use
> Netscape for viewing HTML and reading mail. This is a relatively new
> install and I hadn't taken the time to install my virus scanner yet.
> Anyway, I turned on my computer yesterday and there was an icon on my
> desktop that looked like an envelope with the name of readme.
> I knew not
> to open it based on the warnings from these lists. As soon as
> I tried to
> load and run Norton I started getting warnings left and right.
>
> I can not figure out how this attachment was on my desktop, I use
> Windows 2000 workstation with a 14 letter password that is not a know
> word and no one else logs onto the computer but me. Any ideas?
>
> -----Original Message-----
> From: Chad Smykay [mailto:csmykayRACKSPACE.COM]
> Sent: Tuesday, September 18, 2001 1:54 PM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: Increase of scanning.
>
>
> Apparently there is a new worm called "nimda". Here is some REALLY
> general
> info:
>
> http://www.f-secure.com/v-descs/nimda.shtml
>
> Other links in regards to this:
>
> http://www.cert.org/current/current_activity.html#port80
>
> http://www.cert.org/advisories/CA-2001-11.html
>
>
> However I wanted to review what I have found so far. From what I can
> tell
> there is an "mmc.exe" process or processes that is being run
> when there
> is
> NO other users logged in and no such process being spawned.
>
> Also it appears to be doing NetBIOS scans at the same time it is doing
> these
> IP range scans. By monitoring a current server that is running this
> exploit. I see about 20-30 "net.exe and "net1.exe" being
> spawned. Most
> likely they are also trying to do NetBIOS scans either on the current
> network they are on or other IP Ranges.
>
> The only thing that we can thing to do at this time is to block this
> traffic
> VIA IDS.
>
> It also appears that they are attempting to send this new "readme.exe"
> via
> IIS SMTP Server, but we can not confirm that right now. Anyone?
>
> Here is a snippet from the log files that if you probably check right
> now on
> your server you will see:
>
> <-- Begin Logfile snip
> [Tue Sep 18 08:13:17 2001] [error] [client 195.124.124.237] File does
> not
> exist: /usr/local/etc/httpd/sites/default.ida
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist: /usr/local/etc/httpd/sites/scripts/root.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist: /usr/local/etc/httpd/sites/MSADC/root.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist: /usr/local/etc/httpd/sites/c/winnt/system32/cmd.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist: /usr/local/etc/httpd/sites/d/winnt/system32/cmd.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist:
> /usr/local/etc/httpd/sites/scripts/..%5c../winnt/system32/cmd.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist:
> /usr/local/etc/httpd/sites/_vti_bin/..%5c../..%5c../..%5c../wi
> nnt/system
> 32/c
> md.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist:
> /usr/local/etc/httpd/sites/_mem_bin/..%5c../..%5c../..%5c../wi
> nnt/system
> 32/c
> md.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist:
> /usr/local/etc/httpd/sites/msadc/..%5c../..%5c../..%5c/..Á../
> ..Á../..Á
> ../
> winnt/system32/cmd.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist:
> /usr/local/etc/httpd/sites/scripts/..Á../winnt/system32/cmd.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist:
> /usr/local/etc/httpd/sites/scripts/..À¯../winnt/system32/cmd.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist:
> /usr/local/etc/httpd/sites/scripts/..Áoe../winnt/system32/cmd.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist:
> /usr/local/etc/httpd/sites/scripts/..%5c../winnt/system32/cmd.exe
> [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233]
> File does not
> exist:
> /usr/local/etc/httpd/sites/scripts/..%2f../winnt/system32/cmd.exe
> <-- End logfile snip
>
> Please note that the above is from a Linux Web server but you will see
> the
> same across the board.
>
> Here is another snip for a Windows NT server logfile
>
> <-- Begin log snip
> 4:48:02 209.61.190.233 GET /scripts/root.exe 403
> 14:48:02 209.61.190.233 GET /MSADC/root.exe 200
> 14:48:31 209.61.187.113 GET /scripts/root.exe 403
> 14:48:31 209.61.187.113 GET /MSADC/root.exe 200
> 14:48:31 209.61.187.113 GET /MSADC/root.exe 502
> 14:48:31 209.61.187.113 GET /MSADC/Admin.dll 500
> 14:48:31 209.61.187.113 GET /c/winnt/system32/cmd.exe 404
> 14:48:31 209.61.187.113 GET /d/winnt/system32/cmd.exe 404
> 14:48:31 209.61.187.113 GET
> /scripts/..%5c../winnt/system32/cmd.exe 403
> 14:48:31 209.61.187.113 GET
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
> 14:48:31 209.61.187.113 GET
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
> 14:48:31 209.61.187.113 GET
> /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system
> 32/cmd.exe
> 404
> 14:48:31 209.61.187.113 GET /scripts/..Á../winnt/system32/cmd.exe 403
> 14:48:31 209.61.187.113 GET /scripts/winnt/system32/cmd.exe 403
> 14:48:31 209.61.187.113 GET /scripts/../../winnt/system32/cmd.exe 403
> 14:48:31 209.61.187.113 GET /scripts/..\../winnt/system32/cmd.exe 403
> 14:48:31 209.61.187.113 GET
> /scripts/..S5c../winnt/system32/cmd.exe 403
> 14:48:31 209.61.187.113 GET
> /scripts/..S5c../winnt/system32/cmd.exe 403
> 14:48:31 209.61.187.113 GET
> /scripts/..%5c../winnt/system32/cmd.exe 403
> 14:48:31 209.61.187.113 GET
> /scripts/..%2f../winnt/system32/cmd.exe 403
> <-- End log snip
>
>
>
> If you have ANY addtional info please share with everyone.
>
> Kind Regards,
>
> Chad Smykay
> Rackspace Managed Hosting
>
>
>
>
> ______________________________________
> Chad Smykay
> Sys Admin Complex Division
> Rackspace Managed Hosting
> 800-961-4454 ext. 1249.
> ______________________________________
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>
>
> ______________________________________________________________
>
> CONFIDENTIALITY NOTICE
> This communication and the information it contains is
> intended for the person or organisation to whom it is
> addressed. Its contents are confidential and may be
> protected in law. Unauthorised use, copying or disclosure of
> any of it may be unlawful. If you are not the intended
> recipient, please contact us immediately.
>
> The contents of any attachments in this e-mail may contain
> software viruses, which could damage your own computer
> system. While Marlborough Stirling has taken every
> reasonable precaution to minimise this risk, we cannot accept
> liability for any damage which you sustain as a result of
> software viruses. You should carry out your own virus
> checking procedure before opening any attachment.
>
> Marlborough Stirling plc, Registered No. 3008820,
> Allen Jones House, Jessop Avenue, Cheltenham,
> Gloucestershire, GL50 3SH
> Tel: 01242 547000 Fax: 01242 547100
> http://www.marlborough-stirling.com
>
> The following companies are subsidiaries of Marlborough
> Stirling plc and are registered in England and Wales at the
> above address:
> Marlborough Stirling PLC, Registered No. 3008820
> The Marlborough Stirling Group PLC, Registered No. 1855353
> Marlborough Stirling Administration Limited, Registered No. 2341195
> Metgem Limited, Registered No. 02341195
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]