Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Code Red Scan

From: Richard Bradford <rbradford () vendaregroup com>
Date: Wed, 1 Aug 2001 10:30:53 -0700 
I just  nbtstat 'd this guys DSL.  I winpopped him to let him know
his IIS box is open.  

C:\>net send 64.173.141.242  you're wide open Patch your machine!
The message was successfully sent to 64.173.141.242

C:\>net send 64.173.141.242 The Chinese Worm is scanning from your box.
The message was successfully sent to 64.173.141.242.

Looks like some guy teaching a class...I can map a drive to his C$
as well... sad..sad...sad....

C:\>nbtstat -A 64.173.141.242

Local Area Connection:
Node IpAddress: [10.3.21.59] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    INSTRUCTOR     <00>  UNIQUE      Registered
    TRAINING       <00>  GROUP       Registered
    INSTRUCTOR     <20>  UNIQUE      Registered
    TRAINING       <1E>  GROUP       Registered
    INSTRUCTOR     <03>  UNIQUE      Registered
    INet~Services  <1C>  GROUP       Registered
    IS~INSTRUCTOR..<00>  UNIQUE      Registered
    TRAINING       <1D>  UNIQUE      Registered
    ..__MSBROWSE__.<01>  GROUP       Registered
    DUNCANC        <03>  UNIQUE      Registered

    MAC Address = 00-10-5A-29-E2-19


-----Original Message-----
From: Jonathan Rickman [mailto:jonathan () xcorps net]
Sent: Wednesday, August 01, 2001 9:52 AM
To: abuse () pacbell net
Cc: incidents () securityfocus com
Subject: Code Red Scan



Please take the following information for action...

Log entry from www.xcorps.net:
==============================

64.173.141.242 - - [01/Aug/2001:12:43:49 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u780
1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%
u0000%u00=a HTTP/1.0" 400 252

==============================

Offender:
=========

adsl-64-173-141-242.dsl.snfc21.pacbell.net

=========


Information on the Code Red Worm can be obtained by sending email to:

code-red () xcorps net


Thank you for your prompt attention to this matter...

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: