Security Incidents mailing list archives
RE: Code Red Scan
From: Richard Bradford <rbradford () vendaregroup com>
Date: Wed, 1 Aug 2001 10:30:53 -0700
I just nbtstat 'd this guys DSL. I winpopped him to let him know his IIS box is open. C:\>net send 64.173.141.242 you're wide open Patch your machine! The message was successfully sent to 64.173.141.242 C:\>net send 64.173.141.242 The Chinese Worm is scanning from your box. The message was successfully sent to 64.173.141.242. Looks like some guy teaching a class...I can map a drive to his C$ as well... sad..sad...sad.... C:\>nbtstat -A 64.173.141.242 Local Area Connection: Node IpAddress: [10.3.21.59] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- INSTRUCTOR <00> UNIQUE Registered TRAINING <00> GROUP Registered INSTRUCTOR <20> UNIQUE Registered TRAINING <1E> GROUP Registered INSTRUCTOR <03> UNIQUE Registered INet~Services <1C> GROUP Registered IS~INSTRUCTOR..<00> UNIQUE Registered TRAINING <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered DUNCANC <03> UNIQUE Registered MAC Address = 00-10-5A-29-E2-19 -----Original Message----- From: Jonathan Rickman [mailto:jonathan () xcorps net] Sent: Wednesday, August 01, 2001 9:52 AM To: abuse () pacbell net Cc: incidents () securityfocus com Subject: Code Red Scan Please take the following information for action... Log entry from www.xcorps.net: ============================== 64.173.141.242 - - [01/Aug/2001:12:43:49 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u780 1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078% u0000%u00=a HTTP/1.0" 400 252 ============================== Offender: ========= adsl-64-173-141-242.dsl.snfc21.pacbell.net ========= Information on the Code Red Worm can be obtained by sending email to: code-red () xcorps net Thank you for your prompt attention to this matter... -- Jonathan Rickman X Corps Security http://www.xcorps.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red Scan Jonathan Rickman (Aug 01)
- <Possible follow-ups>
- RE: Code Red Scan Richard Bradford (Aug 01)