Actually, I believe if you telnet in there are ways to actaullt shutdown the infected machine
But don't ask me how :) -----Original Message----- From: Bjorn Nilsen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 30 January 2002 7:12 p.m. To: 'Mark Carey'; [EMAIL PROTECTED] Subject: RE: Mature comments appreciated Looks like CodeRed to me, this is a trojan/virus so I doubt it is being done intentionally. CodeRed infects computers by exploiting a hole in IIS. There is bugger all you can do about this except if your running IIS then make sure it is patched. You could see if that IP has a mail server running on it then notify them that they are infected by sending an email to postmaster@IP but thats a long shot. Bjorn -----Original Message----- From: Mark Carey [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 30 January 2002 6:47 p.m. To: [EMAIL PROTECTED] Subject: Mature comments appreciated I am currently 'playing' with apache, does anyone here ever get tired of; <snip> [Wed Jan 30 15:30:59 2002] [error] [client 210.74.146.190] File does not exist: /somedir/scripts/root.exe [Wed Jan 30 15:31:01 2002] [error] [client 210.74.146.190] File does not exist: /somedir/MSADC/root.exe [Wed Jan 30 15:31:03 2002] [error] [client 210.74.146.190] File does not exist: /somedir/c/winnt/system32/cmd.exe [Wed Jan 30 15:31:05 2002] [error] [client 210.74.146.190] File does not exist: /somedir/d/winnt/system32/cmd.exe [Wed Jan 30 15:31:06 2002] [error] [client 210.74.146.190] File does not exist: /somedir/scripts/..%5c../winnt/system32/cmd.exe [Wed Jan 30 15:31:08 2002] [error] [client 210.74.146.190] File does not exist: /somedir/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Wed Jan 30 15:31:10 2002] [error] [client 210.74.146.190] File does not exist: /somedir/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Wed Jan 30 15:31:12 2002] [error] [client 210.74.146.190] File does not exist: /somedir/msadc/..%5c../..%5c../..%5c/..�^\../..�^\../..�^\../winnt/system32/ cmd.exe </snip> I mean this attack was directed at an NT/2k/XP machine. I have whois'ed the IP and have someone to complain to, what is the general attitude here towards responding to provocation such as this? I do realise that .190 is not a specific address and will probably not be traceable back to the purpotrating computer. But someone needs a good stiff slaping with a dripping wet trout. Mark Carey _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
