More on the .eml files.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
-----Original Message-----
From: Dave Watts
Sent: Tuesday, 18 September, 2001 11:25
To: '[EMAIL PROTECTED]'
Subject: RE: Code Red backdoor triggered?
> It looks like when you surf to an infected site, it opens IE
> with a file named readme.eml which appears to contain a readme.exe.
> I don't have an email client on the server so I dont know what
> would happen if I did and I am not going to test it out. I
> also see a number (at least 10 - haven't counted yet) of
> different sites sending out requests, and interestingly they
> are all in the same subnet: my ip is 209.186.186.37 and they
> are all from 209.x.x.x
I just checked the logfile for one virtual server here, and I'm getting lots
of attacks from similar network addresses. I used a command-line HTTP
browser to connect to one of the attacking IPs, and saw the same
"readme.eml" thing, at the bottom of what appeared to be a regular page.
Based on my reading of the logfile, I think this is some Code Red variant or
followup; it's using the Code Red-specific backdoors mentioned in the
incidents.org URL Cameron posted. The only thing that doesn't sound right to
me is that I thought the Code Red trojan payload only worked with Win2K
(simply crashing IIS on NT 4), but several of the attacking servers are
identifying themselves as IIS 4.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
