Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

CyberCash Server Hit By Code Red II

From: InfoSec News <isn () c4i org>
Date: Wed, 15 Aug 2001 02:48:08 -0500 (CDT)
http://www.newsbytes.com/news/01/169010.html

By Brian McWilliams, Newsbytes
RESTON, VIRGINIA, U.S.A.,
14 Aug 2001, 1:30 PM CST
 
A server formerly operated by CyberCash, an online payment provider,
has been infected by the Code Red II worm, according to several
independent reports.

Intrusion logs compiled by Dshield.org and MyNetWatchMan.com show that
a system located at an Internet address registered to CyberCash has
probed at least a dozen other machines in the same Internet address
space in recent days using a fingerprint that indicates a Code Red II
infection.

A spokesperson for First Data Merchant Services, which acquired
CyberCash's software business in May after it filed for bankruptcy,
confirmed that the server was infected with Code Red II.

The infected server, located at the Internet protocol address
208.241.29.62, was used by customers to download First Data's ICVERIFY
software, a PC-based payment processing system. According to the
spokesperson, the data stored on the infected server was not affected
by the worm.

By early this afternoon, the infected server, which was running an
unpatched version of Microsoft's Internet Information Server (IIS)
version 5, was no longer accepting Internet connections while First
Data officials dealt with the infection.

The main CyberCash Web site, located at a different Internet protocol
address, runs the Apache Web server on BSD, a version of Unix.

According to a spokesperson for VeriSign, which acquired CyberCash's
payment processing business, no CyberCash servers operated by VeriSign
were affected by the worm.

The infected server attempted to access a file called default.ida on
the target machines, followed by dozens of X characters, in an attempt
to exploit a buffer overflow bug in Microsoft's IIS server software
identified in June.

The intrusion in CyberCash's network was first identified and reported
to the company by Jay Dyson, an independent security consultant who
received one of the scans early today while testing Early Bird, a
realtime Code Red intrusion attempt notification utility he has
developed.

According to a description of Code Red II by the Computer Emergency
Response Team (CERT), the worm only infects Windows 2000 servers
running IIS 4.0 or 5.0. Once compromised by the worm, systems may
relinquish full, system-level control of the machine to intruders. As
a result, "compromised systems may be subject to files being altered
or destroyed. Denial-of-service conditions may be created for services
relying on altered or destroyed files. Hosts that have been
compromised are also at high risk for being party to attacks on other
Internet sites," according to CERT.

Last week, following an investigation by Newsbytes, Microsoft
confirmed that a number of the servers supporting its MSN Hotmail
service were infected with variants of the Code Red Worm. The company
has since patched or taken the systems offline.

CyberCash is at http://www.cybercash.com

The CERT advisory on Code Red II is at
http://www.cert.org/incident_notes/IN-2001-09.html

Dyson's Earl Bird utility is at
http://www.treachery.net/~jdyson/earlybird



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: