RE: new worm going around?

• From: "Michael Jankowski" <skyjumpr@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 18 Sep 2001 12:40:29 -0500

Looking thru my logs I've seen attacks from source addresses that had
previously been trying to pass the code red virus/trojan. These new
attacks may be or new variation of code red or they could be a script
ran from those machines that were infected (and never cleaned up). One
of the results of code red is that it made it possible for someone to
install a backdoor into the system, thereby, allowing some other code to
be ran at a later time. This may be that code, or perhaps someone just
figured out a way to take advantage of the infected machines.

Michael


-----Original Message-----
From:   Nick Chadwick
Sent:   Tue 9/18/2001 11:01 AM
To:     [ISAserver.org Discussion List]
Cc:     
Subject:        [isalist] RE: new worm going around?
http://www.ISAserver.org


This worm could be extremely nasty...testing a variant of one of the
requests in my web proxy log, I deleted a file from the root directory
of my ISA server.

If you're not 100% sure your web server is immune to these requests, I
suggest shutting it down now.

Nick Chadwick
Development & Technical Support Manager
Comsoft Limited, UK
Tel: +44-(0)20-8240-4452  Fax: +44-(0)20-8240-4449  Mobile:
+44-(0)7740-362408
Email: nick@xxxxxxxxxxxxxx <mailto:nick@xxxxxxxxxxxxxx>
Web: http://www.comsoft.ltd.uk/


-----Original Message-----
From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
Sent: 18 September 2001 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: new worm going around?


http://www.ISAserver.org


As a precaution, I suggest you shut down port 69/UDP, which is tftp.

-----Original Message-----
From: marc.boutin@xxxxxxxxx [mailto:marc.boutin@xxxxxxxxx]
Sent: Tuesday, September 18, 2001 11:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: new worm going around?


http://www.ISAserver.org


So is mine !  It's been hit since this morning ! And it hasn't stop...



-----Original Message-----
From: Nick Chadwick [mailto:nick@xxxxxxxxxxxxxx]
Sent: Tuesday, September 18, 2001 11:50 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: new worm going around?


http://www.ISAserver.org


Yes, my ISA server is being hit by it. Every 10 minutes or so, it's
being
hit 50 times in a matter of seconds.

Nick Chadwick
Development & Technical Support Manager
Comsoft Limited, UK
Tel: +44-(0)20-8240-4452  Fax: +44-(0)20-8240-4449  Mobile:
+44-(0)7740-362408
Email: nick@xxxxxxxxxxxxxx <mailto:nick@xxxxxxxxxxxxxx>
Web: http://www.comsoft.ltd.uk/


-----Original Message-----
From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
Sent: 18 September 2001 16:36
To: [ISAserver.org Discussion List]
Subject: [isalist] new worm going around?


http://www.ISAserver.org


http://slashdot.org/article.pl?sid=01/09/18/151203&mode=nested

Anybody else seeing this?  Lots of attacks on various places cmd.exe
might be.

ISA Snippity-snippit

207.175.201.20  anonymous       -       N       2001-09-18      13:33:53
W3ReverseProxy  GATEKEEPER      -       www     -       -       -
70      -       -       TCP     GET     http://www/MSADC/root.exe?/c+dir
-       -       12202   0x0     Default rule    -


Shayne Lebrun
Senior Systems Administrator
Veredex Logistics
slebrun@xxxxxxxxxxx
Office: (905) 282-1515 x 242
Pager: page_shayne@xxxxxxxxxxx

Think your network might have Code Red?  Find those pesky root.exe files
with Root Finder: http://www.tangozone.com/slebrun/downloads.tml

From a Sun Microsystems bug report (#4102680):
"Workaround: don't pound on the mouse like a wild monkey."

Want to hold up a bank in Latin?
"Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum
immane mittam."
(I have a catapult. Give me all the money, or I will fling an enormous
rock
at your head.)

"Lawyers are like chemical weapons.  Everybody gets screwed if they're
let
out."
 

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
nick@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


**********************************************************************
Disclaimer: This e-mail contains proprietary information some or all
of which may be legally privileged. It is for the intended recipient
only. If an addressing or transmission error has misdirected this
e-mail, please notify the author by replying to this e-mail and then
permanently delete the message from your computer. If you are not the
intended recipient you must not use, disclose, distribute, copy, print
or rely on the e-mail.

The opinion expressed in this Email is that of the author and not 
necessarily that of Comsoft Limited.

While attachments are virus checked, Comsoft Limited do not accept any
liability in respect of a virus which is not detected.
**********************************************************************

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
marc.boutin@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
slebrun@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
nick@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


**********************************************************************
Disclaimer: This e-mail contains proprietary information some or all
of which may be legally privileged. It is for the intended recipient
only. If an addressing or transmission error has misdirected this
e-mail, please notify the author by replying to this e-mail and then
permanently delete the message from your computer. If you are not the
intended recipient you must not use, disclose, distribute, copy, print
or rely on the e-mail.

The opinion expressed in this Email is that of the author and not 
necessarily that of Comsoft Limited.

While attachments are virus checked, Comsoft Limited do not accept any
liability in respect of a virus which is not detected.
**********************************************************************

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
skyjumpr@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?

1. Home
2. isalist
3. Archive
4. 09-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---