07:34
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Why would you put a link to an infected site? If someone does not have
sept 18th patterns They will immediately be infected???
-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Tuesday,
Title: RE: WARNING: Hacker Alert
Fix
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A
-Original Message-
From: Robert E Young - NetX [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 2:31 PM
To: NT System Admin Issues
Subject: Re: WARNING
: Wednesday, September 19, 2001 1:52 PM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
In a follow up from this message, I contacted some senior people at
Wcom/ UUNet this afternoon and asked about the validity of the attack
from Wcom - this was the first they had heard that.
Steve
voice
240-465-0323 Efax
-Original Message-
From: Dean Cunningham [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 4:48 PM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
It targets the class A that your server is on and heavily targets the class
b your
om: Robert E Young - NetX [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 20 September 2001 6:31 a.m.
To: NT System Admin Issues
Subject: Re: WARNING: Hacker Alert
Anything with 63 octet has the problem, I have heard it is due to a MCI
Worldcom attack.
I see you have the 63 octet.
Robert E, Youn
Title: RE: WARNING: Hacker Alert
I am not sure. I usually wasn't in that partition. I have been running XP for quite a while now and generally stay there. I had not been taking care of my W2K OS. The more I think about it, I think that I caused the problem. I was at work and when the
Shannon -- What version and SP did you have of
Internet Explorer?
Higgins
-Original Message-
From: Shannon Speck [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 2:38 PM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
I, like a dumbass went to this site and
I rebooted and rescanned -- no infected files! :-)
>-Original Message-
>From: Mathews, James E. [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 19, 2001 12:04 PM
>To: NT System Admin Issues
>Subject: RE: WARNING: Hacker Alert
>
>
>I think someone else ask
Title: RE: WARNING: Hacker Alert
I, like a dumbass went to this site and it fried some windows files and my pc wouldn't boot after that. Luckily I dual boot two NTFS partitions so I was able to come back up under XP and get all my data back. Still had to reformat the W2k partition. Re-in
D]]
Sent: Wednesday, September 19, 2001 9:15 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
No problem, Martin! I am not putting any blame on you
at all. It's these #$@% people with nothing else
better to do than to do everything they can to
irritate people.
Higgins
ember 19, 2001 11:48 AM
>To: NT System Admin Issues
>Subject: RE: WARNING: Hacker Alert
>
>
>Well, because at the time, nobody knew what it could
do when you hit the
>site. When I hit it, it didn't do anything to me. So
essentially, nobody
>knew.
>I thought it was just
Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 11:48 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Well, because at the time, nobody knew what it could do when you hit the
site. When I hit it, it didn't do anything to me. So essentially, nobody
knew.
I th
Message-
>From: David B. Lunn [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 19, 2001 1:34 AM
>To: NT System Admin Issues
>Subject: RE: WARNING: Hacker Alert
>
>
>Why would you put a link to an infected site? If
someone does not have
>sept 18th patterns T
pply? Why is the
file in the temporary internet folder marked detected
as infected anyway?
TIA,
Higgins
>-Original Message-
>From: David B. Lunn [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 19, 2001 1:34 AM
>To: NT System Admin Issues
>Subject: RE: WARNING: Ha
Uhh Steve this isn't a sales list. Email him offline please
-Original Message-
From: Clark, Steve [mailto:[EMAIL PROTECTED]]
Sent: September 19, 2001 7:40 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
It's called St Bernard Software UpDate Expert. T
EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 1:29 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Importance: High
> This is a real can of super ugly worms and you need a total
> security policy for your site not just blocking executables via email.
Tell me about it. I
/
-Original Message-
From: Rocky Stefano [mailto:[EMAIL PROTECTED]]
Sent: 19 September 2001 06:36
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
St. Bernard software.
-Original Message-
From: Bob's Lists [mailto:[EMAIL PROTECTED]]
Sent: September 19, 2001 1:29 AM
T
St. Bernard software.
-Original Message-
From: Bob's Lists [mailto:[EMAIL PROTECTED]]
Sent: September 19, 2001 1:29 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Importance: High
> This is a real can of super ugly worms and you need a total
> security
: WARNING: Hacker Alert
Here is a site that has been hit
http://216.39.178.32
-Original Message-
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 7:59 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
CodeRed seems to have dwindled to nothing
> This is a real can of super ugly worms and you need a total
> security policy for your site not just blocking executables via email.
Tell me about it. I have 13 servers here, 3 of them *nix. All of them survived except
one which got hit, because it had a trust relationship with a web design
AIL PROTECTED]]
Sent: Wednesday, 19 September 2001 8:47 a.m.
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
I still don't realize why some administrators let executables thru their
email systems. Yes, it is very handy to send the latest game or sol.exe
file to your buddy but it
Title: RE: WARNING: Hacker Alert
I've managed to search and destroy all readme.eml
root.exe
readme.exe
admin.dll (56K file shown as an audio xwave type file)
all on several servers. All "seem ok for now" but my PDC/Exchange Server is still re-generating these files onto itse
Sent: Tuesday, September 18, 2001 3:45 PM
To: NT System Admin Issues
Subject: Re: WARNING: Hacker Alert
Where? http://download.mcafee.com/updates/updates.asp? not there?
- Original Message -
From: "Clark, Steve" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" &l
-0323 Efax
-Original Message-
From: www.kenmcphail.com [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 3:45 PM
To: NT System Admin Issues
Subject: Re: WARNING: Hacker Alert
Where? http://download.mcafee.com/updates/updates.asp? not there?
- Original Message -
From
ng or very foolish imagine
otherwise. - George Orwell
-Original Message-
From: Murray Binette [mailto:[EMAIL PROTECTED]]
Sent: September 18, 2001 13:40 PM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Do these appear to be emails from friends or people on your contact
Where? http://download.mcafee.com/updates/updates.asp? not there?
- Original Message -
From: "Clark, Steve" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 2:29 PM
Subject: RE: WARNING: Hacker Alert
- Original Message -
From: "Ian Kelly" <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 7:55 PM
>It's an IIS attack, not email based
It's both: Data so far:
This worm does the following:
1) Port scans IP addresses looking for open port 80 (web servers). Upon finding
a web server,
:17 PM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
No pattern update or cleaner tool available yet from Symantec. Probably
soon.
Mark Kelsay
<[EMAIL PROTECTED]>
Title: Message
What
is the status code for each line? (At the end of each line in the
log)?
-Original Message-From: Witt, Michael S
[mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001
1:52 PMTo: NT System Admin IssuesSubject: RE: WARNING:
Hacker Alert
I
<[EMAIL PROTECTED]>
cc:
09/18/2001 Subject: RE: WARNING: Hacker Alert
11
sues
Subject: RE: WARNING: Hacker Alert
For all of you ANTIGEN users,
Set the following filter to deal with this issue:
File Name: readme.exe
File types: all types
Action: Delete: remove contents
Nelson Aguillón
626.937.6693
-Original Message-
From: Terry Manolakos [m
Title: RE: WARNING: Hacker Alert
The best way to do this is with a Firewall
Rule. This will prevent you webservers from getting overloaded by illicit
traffic.
xylog
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001
11
Do these appear to be emails from friends or people on your contact
list??
-Original Message-
From: Luke Brumbaugh [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:39 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
If you have updated for Code Red, do we
: WARNING: Hacker Alert
All my public facing web servers at home and at my office have shown a huge
continuous hacking activity. Has anyone seen similar? I fear this may be
code red related or automated. Please comment if you have seen similar. Here
is an excerpt from one logfile:
63.101.9.107, -, 9/18
1 12:20 AMTo: NT System Admin
IssuesSubject: RE: WARNING: Hacker Alert
its
called w32nimda.a@mm this thing
infected all my serversbrand new virus
-Original Message-From: Kelly Borndale
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001
11:00 AMTo
Title: RE: WARNING: Hacker Alert
I have
found these entries in my logs. How do I know if the commands were
successfull? Is the fact that it was logged and indicator that the command
had a problem (failed)?
-Original Message-From: Jerry Gamblin
[mailto:[EMAIL PROTECTED]]Sent
Sp2
and all the critical updates. (Never infected by code
red)
-Original Message-From: Kelly Borndale
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001
12:57 PMTo: NT System Admin IssuesSubject: Re: WARNING:
Hacker Alert
Did you apply the rollup fix, or just
: Tuesday, September 18, 2001
9:20 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
its called w32nimda.a@mm this thing infected
all my serversbrand new virus
-Original
Message-
From: Kelly Borndale
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001
11:00 AM
PM
Subject: RE: WARNING: Hacker Alert
If you have updated for Code Red, do we need to do
anything?-Original Message-From: Marr, Chris [mailto:[EMAIL PROTECTED]]Sent:
Tuesday, September 18, 2001 12:22 PMTo: NT System Admin IssuesSubject:
RE: WARNING: Hacker AlertUsama Bin
its
called w32nimda.a@mm this thing
infected all my serversbrand new virus
-Original Message-From: Kelly Borndale
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001
11:00 AMTo: NT System Admin IssuesSubject: Re: WARNING:
Hacker Alert
I have heard of it as
Usama Bin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:52 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Why do people gotta do this shit now? damn...!
> -Original Mess
Title: RE: WARNING: Hacker Alert
Look at your Web Server logs for the following files to be opened...
/winnt/system32/cmd.exe
/scripts/root.exe
/MSADC/root.exe
/c/winnt/system32/cmd.exe
/d/winnt/system32/cmd.exe
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/_mem_bin/..%5c
If you have updated for Code Red, do we need to do anything?
-Original Message-
From: Marr, Chris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:22 PM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Usama Bin
-Original
Title: RE: WARNING: Hacker Alert
In the
web site properties, identification, advanced, don't have an entry that doesn't
have a host header. The only negative that I can think of is browsers of
approximately Version 2 series can't connect. Considering that IE 6 and
Netscap
CTED]]
Sent: Tuesday, September 18, 2001 10:47 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
I'm new to IS admin. What logs should I be looking at? I apply all security
patches as they come out so I was not hit by CodeRed.
-Original Message-
From: Martin Blackstone [mailto
Here is something from Russ...
- Original Message -
From: "Russ" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 10:21 AM
Subject: Alert: Some sort of IIS worm seems to be propagating
There have been numerous reports of IIS attacks being generated by
machi
acking the more local subnets.
Jason Morris CCDA CCNP
Network Administrator
MJMC, Inc.
708-225-2350
[EMAIL PROTECTED]
-Original Message-
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:50 AM
To: NT System Admin Issues
Cc: '[EMAIL PROTECTED]'
Sub
Wow! This could be it.
-Original Message-
From: Kevin Lundy [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 8:28 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
http://www.nipc.gov/warnings/advisories/2001/01-021.htm
http://www.sunbelt-software.com
Title: RE: WARNING: Hacker Alert
How do you do that?
-Original Message-
From: Kevin Lundy [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 8:26 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
looks like an exploit of the "Hacked by Chinese"
t: RE: WARNING: Hacker Alert
Here is a site that has been hit
http://216.39.178.32
-Original Message-
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 7:59 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
CodeRed seems to have dwindled to nothi
cure Corporation/NTBugtraq Editor
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -Original Message-
> From: Kevin Lundy [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2001 16:28
> To: NT System Admin Issues
> Subject: RE: WARNING: Hacker Alert
>
everyone else do the same.
xylog
-Original Message-
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:59 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
CodeRed seems to have dwindled to nothing on my logs. But it's being
replaced wit
looks like the same old code red to me.
> -Original Message-
> From: Randal, Phil [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 11:23 AM
> To: NT System Admin Issues
> Subject: RE: WARNING: Hacker Alert
>
>
> Looks like a new worm to me. Proba
Why do people gotta do this shit now? damn...!
> -Original Message-
> From: Jason Morris [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2001 15:59
> To: NT System Admin Issues
> Subject: RE: WARNING: Hacker Alert
>
>
> CodeRed seems to have dwindled to noth
CTED]>
Sent: Tuesday, September 18, 2001 10:28 AM
Subject: RE: WARNING: Hacker Alert
> http://www.nipc.gov/warnings/advisories/2001/01-021.htm
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http:[EMAIL PROTECTED]
Someone already mentioned this but it is a very new worm called
W32.Nimda.A@mm see above link for some information on it.
Heidi
Kevin Lundy wrote:
>
> http://www.nipc.gov/warnings/advisories/2001/01-021.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.ht
Here is a site that has been hit
http://216.39.178.32
-Original Message-
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 7:59 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
CodeRed seems to have dwindled to nothing on my logs. But it&#
Code Red!
-Original Message-
From: xylog [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:45 AM
To: NT System Admin Issues
Subject: WARNING: Hacker Alert
All my public facing web servers at home and at my office have shown a
huge continuous hacking activity. Has anyone
AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Here is a site that has been hit
http://216.39.178.32
-Original Message-
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 7:59 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
http://www.nipc.gov/warnings/advisories/2001/01-021.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> Sent: 18 September 2001 15:59
> To: NT System Admin Issues
> Subject: RE: WARNING: Hacker Alert
>
>
> CodeRed seems to have dwindled to nothing on my logs. But it's being
> replaced with the EXACT same lines you have below, and they
> stay consistent
> with the co
Title: Message
I'm
hearing code blue
-Original Message-From: Kelly Borndale
[mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001
8:00 AMTo: NT System Admin IssuesSubject: Re: WARNING:
Hacker Alert
I have heard of it as well... Waiting for more
ECTED]
-Original Message-
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:50 AM
To: NT System Admin Issues
Cc: '[EMAIL PROTECTED]'
Subject: RE: WARNING: Hacker Alert
Yes. It seems to be systems I have previously monitored hitting me with
codered
gt;i>v>
?&?6?W?u?
0.0;0R0v0
02171=1Q1W1d1o1v1
2+20262A2U2`2
2.3?3V3\3k3
4$494K4a4v4
5.575J5P5u5{5
6F6k6
777}7
8-848A8N8g8w8
9 9(9-9<9D9P9X9d9l9y9
9":3:=:B:K:W:\:d:i:o:v:{:
;#;(;1;?;G;L;U;\;d;i;o;v;{;
<#<(<.<5<:mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9
: WARNING: Hacker Alert
All my public facing web servers at home and at my office have
shown ahuge continuous hacking activity. Has anyone seen similar? I fear
thismay be code red related or automated. Please comment if you have
seensimilar. Here is an excerpt from one logfile:63.101.9.107
]]
Sent: Tuesday, September 18, 2001 9:45 AM
To: NT System Admin Issues
Subject: WARNING: Hacker Alert
All my public facing web servers at home and at my office have shown a
huge continuous hacking activity. Has anyone seen similar? I fear this
may be code red related or automated. Please comment if
All my public facing web servers at home and at my office have shown a
huge continuous hacking activity. Has anyone seen similar? I fear this
may be code red related or automated. Please comment if you have seen
similar. Here is an excerpt from one logfile:
63.101.9.107, -, 9/18/01, 10:36:21, W3S
67 matches
Mail list logo
