How are we fighting this!!! It is killing my server response times!!!
Thanks,
Robert
----- Original Message -----
From: "Bill Davidson" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 1:32 PM
Subject: Re: Code Red backdoor triggered?
> Getting SLAMMED too... So far only on one box as far as I can tell, but
it
> is starting to generate so much traffic it is bringing it to its knees at
> some regular intervals. We're definitely patched and have port blocking
on
> (not that that helps port 80), so hopefully this latest onslaught is
> following the same rules as previous ones.
>
> There's some sick people out there - what is their electronic version of a
> week ago's events? Give me a break....
>
> -Bill
> brainbox
> ----- Original Message -----
> From: "Rich Wild" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Tuesday, September 18, 2001 10:37 AM
> Subject: RE: Code Red backdoor triggered?
>
>
> > even we're getting hammered with syn flood attacks.
> >
> > Rich Wild
> >
> > > -----Original Message-----
> > > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > > Sent: 18 September 2001 15:52
> > > To: CF-Talk
> > > Subject: FW: Code Red backdoor triggered?
> > >
> > >
> > > It seems there may be some unusual network activity today
> > > worth noting.
> > >
> > > Dave Watts, CTO, Fig Leaf Software
> > > http://www.figleaf.com/
> > > voice: (202) 797-5496
> > > fax: (202) 797-5444
> > >
> > >
> > > -----Original Message-----
> > > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, 18 September, 2001 10:49
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: Code Red backdoor triggered?
> > >
> > >
> > > > Heads up. Pay attention to your servers today. I just
> > > > started detecting a *ton* of these requests. I think it's
> > > > a follow-up worm programmed to take advantage of the
> > > > backdoors Code Red dropped on infected computers. Maybe a
> > > > Code Red III?
> > > >
> > > > -Cameron
> > > >
> > > > [09/18/2001 09:25:55.136 GMT-0400] Connection:
> > > > dhcp181.onewebsystems.com
> > > > (130.205.102.181) on port 80 (tcp).
> > > > [09/18/2001 09:25:55.166 GMT-0400] GET
> > > > /scripts/root.exe?/c+dir HTTP/1.0
> > > > Host: www
> > > > Connnection: close
> > >
> > > After a more careful reading, I don't think this is an attack
> > > at all. I
> > > think it's worse than an attack.
> > >
> > > The GET request doesn't do anything except run the DOS dir
> > > command using the
> > > command processor. But, if a server responds with an HTTP 200
> > > status code,
> > > this indicates that the server is vulnerable to running
> > > cmd.exe through the
> > > web server.
> > >
> > > So, my guess is that this is a vulnerability scan. Once a
> > > list of vulnerable
> > > servers is compiled, a real attack would take much less time
> > > than a Code
> > > Red-style attack, since you could build the list of
> > > vulnerable servers into
> > > the attack code!
> > >
> > > This idea has been discussed a bit in the last month or so -
> > > it's called a
> > > "Warhol" worm, the idea being that an attack might cover the mass of
> > > vulnerable machines in fifteen minutes. Here's a URL to the article:
> > >
> > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724
> > 5&mode=nocomme
> > nt&threshold=
> >
> > Dave Watts, CTO, Fig Leaf Software
> > http://www.figleaf.com/
> > voice: (202) 797-5496
> > fax: (202) 797-5444
>
> --------------------------------------------------------------------------
> --
> > ----
> > Control your subscriptions to ACFUG lists via the ACFUG website at
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
