Security Incidents mailing list archives
RE: Code Red and other anomalous activity from 1433
From: "lsi" <stuart () cyberdelix net>
Date: Fri, 12 Jul 2002 11:29:14 +0100
I have noticed more attempts than usual to establish a netbios connection to my system. Also, I was on a Chinese webserver the other day - www.suoluo.com - and I found some unusual stuff. It appeared the server had been cracked and was being used to scan other systems. I downloaded the entire "worm" directory and have been perusing it slowly since then. A directory listing of the worm is below. A ready- to-install version of this "autorooter" - FluXay 4 - is at http://www.netxeyes.org/ The program includes over 100 attack scripts for various operating systems and servers, including Sun, Linux, and IIS, formmail, various shopping carts, etc. It also mentions SQL, IPC, and password cracking. Who knows whether this tool has anything to do with an increase in any kind of anomalous activity - but this tool is out there, it does look pretty nasty, and it was being used, although apparently this was in February, judging from timestamps. Stuart Directory of G:\down\hack\_worm . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. exploit <DIR> 08/07/02 16:00 Exploit help <DIR> 08/07/02 16:00 Help plugins <DIR> 08/07/02 16:00 Plugins reports <DIR> 08/07/02 16:00 Reports sqlrcmd <DIR> 08/07/02 16:00 SqlRcmd tools <DIR> 08/07/02 16:00 Tools fluxay4 exe 2,056,192 06/07/02 10:37 fluxay4.exe 1 flx 120 26/02/02 5:06 1.Flx 202982~1 ftp 42 26/02/02 5:06 202.98.221.5.ftp 1 hif 458 26/02/02 5:06 1.HIF brute dic 92 26/02/02 5:06 brute.dic cgibugs dat 20,571 26/02/02 5:06 cgibugs.dat brute ult 86 26/02/02 5:06 brute.ult cracked pwd 100 26/02/02 5:06 Cracked.pwd dialup ini 3 26/02/02 5:06 Dialup.ini chinese dic 36,753 26/02/02 5:06 chinese.dic dict his 293 26/02/02 5:07 dict.his exploi~1 rul 825 26/02/02 5:07 exploit.rule exploi~2 rul 1,557 26/02/02 5:07 exploit_cn.rule exploi~3 rul 1,636 26/02/02 5:07 exploit_en.rule fshttp exe 192,512 26/02/02 5:07 FsHttp.exe fshttp~1 htm 18,330 26/02/02 5:07 fshttp.html ftp hlt 15 26/02/02 5:07 FTP.hlt http hlt 45 26/02/02 5:07 HTTP.hlt http1 gif 41,270 26/02/02 5:07 http1.gif http2 gif 12,975 26/02/02 5:07 http2.gif http3 gif 9,354 26/02/02 5:07 http3.gif httpiis hlt 737 26/02/02 5:07 HttpIIS.Hlt ipcdet~1 inf 163 26/02/02 5:07 IpcDetail.Inf ipchost hlt 1,971 26/02/02 5:07 IpcHost.Hlt ipclist ini 75 26/02/02 5:07 IpcList.INI ipcsin~1 ini 101 26/02/02 5:07 ipcsingle.ini last flx 1,740 26/02/02 5:08 Last.Flx last hif 0 26/02/02 5:08 Last.HIF last pwd 0 26/02/02 5:08 Last.pwd libmysql dll 217,088 26/02/02 5:08 libmySQL.dll mfc42 dll 995,383 26/02/02 5:08 MFC42.DLL netxey~1 jpg 37,341 26/02/02 5:08 netxeyeslogo.jpg msvcp60 dll 401,462 26/02/02 5:08 MSVCP60.DLL ntcmd exe 20,480 26/02/02 5:08 NTCmd.exe name dic 1,426 26/02/02 5:08 Name.dic normal dic 9,247 26/02/02 5:08 Normal.dic ntipc hlt 371 26/02/02 5:08 NTIPC.hlt ntlmauth dll 20,480 26/02/02 5:08 NTLMAuth.dll password dic 14,898 26/02/02 5:08 password.Dic pipecmd exe 40,960 26/02/02 5:08 PipeCmd.exe pop hlt 29 26/02/02 5:08 POP.hlt pophost hlt 125 26/02/02 5:08 PopHost.Hlt pubauth key 44,187 26/02/02 5:08 PubAuth.Key report~1 htm 0 26/02/02 5:08 Report.html restore ini 56 26/02/02 5:08 restore.ini rhv dll 45,056 26/02/02 5:08 RHV.dll sample1 gif 7,337 26/02/02 5:08 sample1.gif sample2 gif 7,563 26/02/02 5:08 sample2.gif sample3 gif 3,310 26/02/02 5:08 sample3.gif sample4 gif 10,484 26/02/02 5:08 sample4.gif sample5 gif 9,596 26/02/02 5:08 sample5.gif sample6 gif 8,524 26/02/02 5:08 sample6.gif sample7 gif 3,178 26/02/02 5:08 sample7.gif search his 30 26/02/02 5:08 search.his server dll 531 26/02/02 5:08 server.dll single dic 8 26/02/02 5:08 single.dic single ini 8 26/02/02 5:08 Single.INI sqlhost hlt 665 26/02/02 5:08 SqlHost.Hlt sys_mo~1 dic 2,232 26/02/02 5:08 Sys_Month_Date.Dic sys_year dic 300 26/02/02 5:08 Sys_Year.Dic uninstal exe 19,483 26/02/02 5:08 uninstal.exe uninstal ini 16,796 26/02/02 5:08 uninstal.ini unixcgi dat 6,328 26/02/02 5:08 unixcgi.dat user his 33 26/02/02 5:08 user.his words dic 91,453 26/02/02 5:09 Words.dic 65 file(s) 4,434,464 bytes Directory of G:\down\hack\_worm\Exploit . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. local <DIR> 08/07/02 16:00 local 7350wu~1 gz 16,229 26/02/02 5:04 7350wu-v5.tar.gz admmou~1 tgz 7,431 26/02/02 5:04 ADMmounted.tgz amd c 4,751 26/02/02 5:04 amd.c linx86~1 c 9,624 26/02/02 5:04 linx86_bind.c lsub c 5,588 26/02/02 5:04 lsub.c rpcaut~1 c 3,294 26/02/02 5:04 rpc.autofsd.c rpc_cmsd c 12,455 26/02/02 5:04 rpc_cmsd.c sadmin~1 c 17,254 26/02/02 5:04 sadmindex-sparc.c seclpd c 11,791 26/02/02 5:04 seclpd.c snmpxd~1 c 8,279 26/02/02 5:04 snmpxdmid.c statdx c 19,729 26/02/02 5:04 statdx.c ttdbse~1 c 9,017 26/02/02 5:04 ttdbserver.c wuftp2~1 gz 3,861 26/02/02 5:04 wuftp25.tar.gz 13 file(s) 129,303 bytes Directory of G:\down\hack\_worm\Exploit\local . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. sunspa~1 <DIR> 08/07/02 16:00 Sun Sparc su c 12,554 26/02/02 5:04 su.c 1 file(s) 12,554 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. 5 6 <DIR> 08/07/02 16:00 5.6 5 7 <DIR> 08/07/02 16:00 5.7 5 8 <DIR> 08/07/02 16:00 5.8 0 file(s) 0 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.6 . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. lpset <DIR> 08/07/02 16:00 lpset lpstat <DIR> 08/07/02 16:00 lpstat netpr <DIR> 08/07/02 16:00 netpr 0 file(s) 0 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.6\lpset . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. default htm 26,148 26/02/02 5:04 default.htm 1 file(s) 26,148 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.6\lpstat . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. default htm 27,868 26/02/02 5:04 default.htm 1 file(s) 27,868 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.6\netpr . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. default htm 26,424 26/02/02 5:04 default.htm 1 file(s) 26,424 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.7 . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. lpset <DIR> 08/07/02 16:00 lpset lpstat <DIR> 08/07/02 16:00 lpstat netpr <DIR> 08/07/02 16:00 netpr xsun <DIR> 08/07/02 16:00 xsun 0 file(s) 0 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.7\lpset . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. default htm 26,148 26/02/02 5:04 default.htm 1 file(s) 26,148 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.7\lpstat . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. default htm 27,868 26/02/02 5:04 default.htm 1 file(s) 27,868 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.7\netpr . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. default htm 26,424 26/02/02 5:04 default.htm 1 file(s) 26,424 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.7\xsun . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. default htm 26,048 26/02/02 5:04 default.htm 1 file(s) 26,048 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.8 . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. kcssun <DIR> 08/07/02 16:00 kcssun 0 file(s) 0 bytes Directory of G:\down\hack\_worm\Exploit\local\Sun Sparc\5.8\kcssun . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. default htm 26,508 26/02/02 5:04 default.htm 1 file(s) 26,508 bytes Directory of G:\down\hack\_worm\Help . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. 1 27 <DIR> 08/07/02 16:00 1.27 image <DIR> 08/07/02 16:00 image faq mht 20,731 26/02/02 5:05 faq.mht fluxay~1 htm 24,924 26/02/02 5:05 fluxay4.html form mht 205,476 26/02/02 5:05 form.mht http mht 476,093 26/02/02 5:06 http.mht index~1 htm 2,405 26/02/02 5:06 index.html ipc mht 165,112 26/02/02 5:06 ipc.mht remote mht 93,332 26/02/02 5:06 remote.mht plugin~1 htm 12,539 26/02/02 5:06 plugin.html sql mht 181,576 26/02/02 5:06 sql.mht result~1 htm 39,513 26/02/02 5:06 result.html 10 file(s) 1,221,701 bytes Directory of G:\down\hack\_worm\Help\1.27 . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. additi~1 htm 4,712 26/02/02 5:04 addition_filelist.html anfade~1 cla 16,397 26/02/02 5:04 AnFade.class anfade jar 11,065 26/02/02 5:04 AnFade.jar dictcomb gif 4,590 26/02/02 5:04 DICTCOMB.GIF dictpr~1 gif 8,310 26/02/02 5:04 dictproper.gif dictsp~1 gif 4,373 26/02/02 5:04 dictsplit.gif engdict gif 8,512 26/02/02 5:04 ENGDICT.GIF engdic~1 gif 3,465 26/02/02 5:04 engdictad.gif flux gif 40,417 26/02/02 5:04 FLUX.GIF flux1 gif 26,519 26/02/02 5:04 FLUX1.GIF flux2 gif 40,417 26/02/02 5:04 FLUX2.GIF flux3 gif 47,837 26/02/02 5:04 FLUX3.GIF flux4 gif 60,885 26/02/02 5:04 FLUX4.GIF flux5 gif 45,600 26/02/02 5:04 FLUX5.GIF fluxst~1 gif 50,671 26/02/02 5:04 fluxstartup.gif functi~1 gif 5,248 26/02/02 5:04 function_attackoption.gif functi~2 gif 1,930 26/02/02 5:04 function_connectoption.gif functi~3 gif 22,891 26/02/02 5:04 function_dictIII_1.gif functi~4 gif 21,942 26/02/02 5:04 function_dictIII_2.gif functi~5 gif 22,408 26/02/02 5:04 function_dictIII_3.gif functi~6 gif 7,823 26/02/02 5:04 function_dictIII_4.gif functi~7 gif 21,021 26/02/02 5:04 function_dictIII_5.gif functi~8 gif 3,389 26/02/02 5:04 function_dictoption.gif functi~9 gif 2,423 26/02/02 5:04 function_otheroption.gif funct~10 gif 3,340 26/02/02 5:04 function_singleoption.gif funct~11 gif 5,557 26/02/02 5:04 function_sysoption.gif index~1 htm 3,580 26/02/02 5:04 index.html intro gif 50,426 26/02/02 5:04 INTRO.GIF mainback jpg 5,096 26/02/02 5:05 MAINBACK.JPG menu_a~1 gif 2,816 26/02/02 5:05 menu_attack.gif menu_e~1 gif 4,462 26/02/02 5:05 menu_edit.gif menu_f~1 gif 2,485 26/02/02 5:05 menu_file.gif menu_h~1 gif 1,236 26/02/02 5:05 menu_help.gif menu_o~1 gif 1,687 26/02/02 5:05 menu_option.gif menu_t~1 gif 4,313 26/02/02 5:05 menu_tool.gif msdos gif 8,606 26/02/02 5:05 MSDOS.GIF part_1~1 htm 2,983 26/02/02 5:05 part_1.html part_2~1 htm 19,152 26/02/02 5:05 part_2.html part_3~1 htm 1,989 26/02/02 5:05 part_3.html part_3~2 htm 1,138 26/02/02 5:05 part_3_1.html part_3~3 htm 4,105 26/02/02 5:05 part_3_2.html part_3~4 htm 1,295 26/02/02 5:05 part_3_2_1.html part_3~5 htm 7,111 26/02/02 5:05 part_3_3.html part_3~6 htm 8,313 26/02/02 5:05 part_3_5.html part_3~7 htm 18,577 26/02/02 5:05 part_3_4.html part_3~8 htm 14,948 26/02/02 5:05 part_3_6.html part_3~9 htm 2,293 26/02/02 5:05 part_3_7.html part_5~1 htm 1,007 26/02/02 5:05 part_5.html part_4~1 htm 3,092 26/02/02 5:05 part_4.html planedit gif 4,753 26/02/02 5:05 Planedit.gif produc~1 gif 62,290 26/02/02 5:05 productsn.gif sharem~1 gif 70,662 26/02/02 5:05 sharemail.gif 52 file(s) 800,157 bytes Directory of G:\down\hack\_worm\Help\image . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. netxey~1 jpg 37,341 26/02/02 5:05 netxeyeslogo.jpg scanbase gif 37,323 26/02/02 5:05 scanbase.gif scanport gif 32,356 26/02/02 5:05 scanport.gif scanpop gif 31,557 26/02/02 5:05 scanpop.gif scanftp gif 31,790 26/02/02 5:05 scanftp.gif scansmtp gif 31,512 26/02/02 5:05 scansmtp.gif scanimap gif 31,629 26/02/02 5:05 scanimap.gif scante~1 gif 31,049 26/02/02 5:05 scantelnet.gif scancgi gif 32,358 26/02/02 5:05 scancgi.gif scancg~1 gif 12,953 26/02/02 5:05 scancgirule.gif scansql gif 31,692 26/02/02 5:05 scansql.gif scanipc gif 33,061 26/02/02 5:05 scanipc.gif scaniis gif 32,478 26/02/02 5:05 scaniis.gif scanfi~1 gif 31,677 26/02/02 5:05 scanfinger.gif scanrpc gif 31,079 26/02/02 5:05 scanrpc.gif scanmisc gif 31,560 26/02/02 5:05 scanmisc.gif scanpl~1 gif 12,395 26/02/02 5:05 scanplugin.gif scanop~1 gif 35,264 26/02/02 5:05 scanoption.gif tcpopt~1 gif 2,344 26/02/02 5:05 tcpoption.gif result~1 gif 4,985 26/02/02 5:05 result_ipc.gif result~2 gif 7,302 26/02/02 5:05 result_ipc_ntcmd.gif result~3 gif 4,829 26/02/02 5:05 result_sql.gif result~4 gif 3,559 26/02/02 5:05 result_iis_remoteexecute.gif result~5 gif 8,183 26/02/02 5:05 result_sql_sqlrcmd.gif result~6 gif 3,050 26/02/02 5:05 result_iis_remoteexecutetyp.gif result~7 gif 3,946 26/02/02 5:05 result_pca_connect.gif result~8 gif 9,237 26/02/02 5:05 result_iis_remoteexecutewin.gif result~9 gif 4,967 26/02/02 5:05 result_pca_ftp.gif resul~10 gif 2,246 26/02/02 5:05 result_pca_crack.gif resul~11 gif 3,559 26/02/02 5:05 result_fpg_ipc.gif resul~12 gif 1,836 26/02/02 5:05 result_fpg_add.gif resul~13 gif 6,806 26/02/02 5:05 result_fpg_import.gif resul~14 gif 3,401 26/02/02 5:05 result_fpg_selectuser.gif resul~15 gif 5,000 26/02/02 5:05 result_ipc_planter.gif resul~16 gif 9,419 26/02/02 5:05 result_mysql.gif resul~17 gif 10,862 26/02/02 5:05 result_sun_finger.gif resul~18 gif 4,369 26/02/02 5:05 result_sun_finger_crack.gif 37 file(s) 648,974 bytes Directory of G:\down\hack\_worm\Plugins . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. nullpr~1 flu 264 26/02/02 5:06 nullprinter.flux 1 file(s) 264 bytes Directory of G:\down\hack\_worm\Reports . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. 202102~1 htm 887 26/02/02 5:06 202.102.108.111-202.102.108.111.html 202981~1 htm 55,758 26/02/02 5:06 202.98.196.1-202.98.198.255.html 202981~2 htm 4,645 26/02/02 5:06 202.98.197.146-202.98.197.146.html 202982~1 htm 820 26/02/02 5:06 202.98.216.9-202.98.216.9.html 202996~1 htm 2,232 26/02/02 5:06 202.99.67.100-202.99.67.100.html netxey~1 jpg 37,341 26/02/02 5:06 netxeyeslogo.jpg 6 file(s) 101,683 bytes Directory of G:\down\hack\_worm\SqlRcmd . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. sqlrcm~1 <DIR> 08/07/02 16:00 SqlRCmd_Express sqlrcm~2 <DIR> 08/07/02 16:00 SqlRCmd_Normal 0 file(s) 0 bytes Directory of G:\down\hack\_worm\SqlRcmd\SqlRCmd_Express . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. 0 file(s) 0 bytes Directory of G:\down\hack\_worm\SqlRcmd\SqlRCmd_Normal . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. 0 file(s) 0 bytes Directory of G:\down\hack\_worm\Tools . <DIR> 08/07/02 16:00 . .. <DIR> 08/07/02 16:00 .. netsvc exe 78,640 26/02/02 5:06 NETSVC.EXE ntlm exe 110,592 26/02/02 5:06 NTLM.EXE pskill exe 77,824 26/02/02 5:06 PSKILL.EXE runasex exe 36,864 26/02/02 5:06 RunAsEx.exe srv exe 59,392 26/02/02 5:06 SRV.EXE 5 file(s) 363,312 bytes Total files listed: 198 file(s) 7,925,848 bytes 71 dir(s) 1,061.63 MB free On 11 Jul 2002 at 14:53, Michael Fredericks wrote: From: "Michael Fredericks" <mfredericks () infosol com> To: "'Graham, Randy (RAW) '" <RAW () y12 doe gov>, "'Curley Mr Eric P'" <CurleyEP () NOC USMC MIL>, <incidents () securityfocus com> Subject: RE: Code Red and other anomalous activity from 1433 Date sent: Thu, 11 Jul 2002 14:53:08 -0700
Hi All, I've been getting slammed with Subseven attempts in the past 24 hours. Again they are almost all from Asia (APNIC) and most of the ones I've traced so far have been in Korea. Since it is Subseven, I wouldn't imagine they'd be spoofed so I think it is safe to say there is something weird going on in Asia. Michael Fredericks Manager - Networks and Telecommunications InfoSol, Inc. mfredericks () infosol com http://www.infosol.com/ -----Original Message----- From: Graham, Randy (RAW) [mailto:RAW () y12 doe gov] Sent: Thursday, July 11, 2002 12:56 PM To: Curley Mr Eric P; incidents () securityfocus com Subject: RE: Code Red and other anomalous activity from 1433 Seeing about 24 hours worth of traffic here. Started a little before 8:00 yesterday morning. Last we saw of it was around 6:30 today (at least, the last my internal snort sensor picked up - not sure if the firewall guys have just blocked it or if it has stopped). Randy Graham -- Recursion (ri-'k&r-zh&n) [noun] - See: Recursion-----Original Message----- From: Curley Mr Eric P [mailto:CurleyEP () NOC USMC MIL] Sent: Thursday, July 11, 2002 10:26 AM To: incidents () securityfocus com Subject: Code Red and other anomalous activity from 1433 Has anybody else been getting slammed by Code Red activity today? It seems to be coming from mostly Asian blocks but there are some other blocks thrown in there as well. Then again it could all be spoofed and could be coming from the 12 year old down the street..Thrown into all this traffic I'm also seeing a lot of Dest ports with 1433; Possibly that SQL stuff that happened last month..anywho, just wanted to know if anybody else was experiencing this. Cheers, Eric -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Wednesday, July 10, 2002 1:40 PM To: Pavel Kankovsky; incidents () securityfocus com Subject: RE: TCP port 139 probesHaving done a superficial examination of system directories on those machines (they had a publicly accesible share, ergo I was invited, wasn't I? <g>)Uh...no, you weren't. Just b/c a share is publicly accessible, does NOT, in fact, mean that you were invited. This is simply the age-old rhetoric used to justify malicious actions. While many admins have said that they would be very happy to be told by an outsider that they had a vulnerable machine, to date not a single one has said that they'd be happy to have that person access the machine via some vulnerability and take files.I downloaded 3 of them and they all seem to be compressed executablesAs with your previous posts, this one is incredibly vague and lacking in any useful information. Compresses with what? PKZip? UPX? What version? Did you uncompress the files?having a common prefix,If you're referring to the first couple of bytes of the file, "MZ" is the common prefix for executables on Windows systems.and there are some fragments of strings ("rom", "y smt", ") with", "ESM", "Mime-", "-Typ", "quit" etc) in that common prefix suggesting there is some SMTP implementation there--presumably some kind of malware able to spread via email.Did you run strings on the compressed or uncompressed file?But I did not find anything similar on other machines I examined.Interesting how you've posted to a public list, basically stating that while you refuse to do any testing on your end to verify that the activity you're seeing is a worm (in your own words to me via email, you're "too lazy"), you're more than willing to access vulnerable systems and take files...
-- Stuart Udall stuart () cyberdelix net - http://www.cyberdelix.net/ ..revolution through evolution want to make some cash? check out http://cyberdelix.net/affiliates.htm ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red and other anomalous activity from 1433 Curley Mr Eric P (Jul 11)
- Re: Code Red and other anomalous activity from 1433 Thomas Cannon (Jul 11)
- <Possible follow-ups>
- RE: Code Red and other anomalous activity from 1433 Graham, Randy (RAW) (Jul 11)
- RE: Code Red and other anomalous activity from 1433 Michael Fredericks (Jul 11)
- RE: Code Red and other anomalous activity from 1433 lsi (Jul 12)