Snort mailing list archives
RE: Code Green???
From: "Dominick, David" <David.Dominick () delta com>
Date: Tue, 18 Sep 2001 16:45:32 -0400
does the virus send out more mass mailings than the people talking about it? j/k Just thought we needed a little levity today. -----Original Message----- From: Missaghi, Shawn [mailto:Shawn.Missaghi () jacobs com] Sent: Tuesday, September 18, 2001 2:23 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Code Green??? This is the preliminary information known at this time Symantec has received a number of submissions and has assessed this as a level 4 threat rating. There is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as readme.exe in an email. In addition, the worm sends out probes to IIS servers attempting to spread by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment. Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares. http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a () mm html Increase in Port 80 (HTTP) scanning activity This morning (September 18th) the CERT/CC started receiving reports of a massive increase in scanning directed at port 80 (HTTP). Reports indicate that this scanning activity is attempting to exploit systems previously compromised by Code Red II and/or the sadmind/IIS worm as well as other known vulnerabilities in Microsoft Internet Information Server (IIS). Please see CERT Vulnerability Note VU#111677 <http://www.kb.cert.org/vuls/id/111677> for information on the type of vulnerability being exploited. The following is a log excerpt of this scanning activity: GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy stem32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir The CERT/CC has also received reports of a possibly new piece of malicious code named "readme.exe" being sent via email. Preliminary analysis indicates that this file may be related to the increase in port 80 scanning activity. Sites are encouraged to verify the state of security patches on all IIS servers and email client software. Administrators may also want to add filters to mail servers to block the "readme.exe" attachment. In addition, sites may wish to notify users of the existence of "readme.exe" and its potential threat. -----Original Message----- From: Ian Cudlip [mailto:ian () insight-media co uk] Sent: Tuesday, September 18, 2001 1:56 PM To: Steve Halligan; 'richard'; snort-users () lists sourceforge net Subject: Re: [Snort-users] Code Green??? I've had it infect machines patched for code red, but not patched with the ms sec. roll-up. Ian. On Tuesday 18 September 2001 5:34 pm, Steve Halligan wrote:
This infected our previously patched for code red, winnt and win2k systems.. One of them i even fixed yesterday and put Microsofts CodeRedCleanup tool on it. It is placing the root.exe file on the hard drive.Can anyone verify that this is infecting IIS server patched to current levels? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ============================================================================ ================ NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. ============================================================================ == _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Code Green???, (continued)
- RE: Code Green??? Lodin, Steven {GZ-Q~Mannheim} (Sep 18)
- RE: Code Green??? richard (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Ed Kasky (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- Re: Code Green??? Ian Cudlip (Sep 18)
- RE: Code Green??? John Steniger (Sep 18)
- RE: Code Green??? Tim Parker (Sep 18)
- Re: Code Green??? Ian Cudlip (Sep 18)
- RE: Code Green??? Missaghi, Shawn (Sep 18)
- RE: Code Green??? Dominick, David (Sep 18)
- RE: Code Green??? Patrick Coomans (Sep 18)
- RE: Code Green??? Lodin, Steven {GZ-Q~Mannheim} (Sep 18)