Snort mailing list archives

RE: Code Green???

From: "Missaghi, Shawn" <Shawn.Missaghi () jacobs com>
Date: Tue, 18 Sep 2001 14:23:16 -0400

This is the preliminary information known at this time
Symantec has received a number of submissions and has assessed this as a
level 4 threat rating.

There is a new mass-mailing worm that utilizes email to propagate itself.
The threat arrives as readme.exe in an email. 

In addition, the worm sends out probes to IIS servers attempting to spread
by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm.
Compromised servers may display a webpage prompting a visitor to download an
Outlook file which contains the worm as an attachment.

Also, the worm will create an open network share allowing access to the
system. The worm will also attempt to spread via open network shares.
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a () mm html

Increase in Port 80 (HTTP) scanning activity
This morning (September 18th) the CERT/CC started receiving reports of a
massive increase in scanning directed at port 80 (HTTP). Reports indicate
that this scanning activity is attempting to exploit systems previously
compromised by Code Red II and/or the sadmind/IIS worm as well as other
known vulnerabilities in Microsoft Internet Information Server (IIS). Please
see CERT Vulnerability Note VU#111677
<http://www.kb.cert.org/vuls/id/111677> for information on the type of
vulnerability being exploited.
The following is a log excerpt of this scanning activity: 
GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy
stem32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
The CERT/CC has also received reports of a possibly new piece of malicious
code named "readme.exe" being sent via email. Preliminary analysis indicates
that this file may be related to the increase in port 80 scanning activity. 
Sites are encouraged to verify the state of security patches on all IIS
servers and email client software. Administrators may also want to add
filters to mail servers to block the "readme.exe" attachment. In addition,
sites may wish to notify users of the existence of "readme.exe" and its
potential threat. 

-----Original Message-----
From: Ian Cudlip [mailto:ian () insight-media co uk]
Sent: Tuesday, September 18, 2001 1:56 PM
To: Steve Halligan; 'richard'; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Code Green???


I've had it infect machines patched for code red, but not patched with the
ms 
sec. roll-up.

Ian.

On Tuesday 18 September 2001  5:34 pm, Steve Halligan wrote:

This infected our previously patched for code red, winnt and win2k
systems.. One of them i even fixed yesterday and put Microsofts
CodeRedCleanup tool on it. It is placing the root.exe file on the hard
drive.


Can anyone verify that this is infecting IIS server patched to current
levels?

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

============================================================================================
NOTICE - This communication may contain confidential and privileged information that is for the sole use of the 
intended recipient.  Any viewing, copying or distribution of, or reliance on this message by unintended recipients is 
strictly prohibited.  If you have received this message in error, please notify us immediately by replying to the 
message and deleting it from your computer.

==============================================================================


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Code Green???, (continued)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Lodin, Steven {GZ-Q~Mannheim} (Sep 18)
  - RE: Code Green??? richard (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Ed Kasky (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
  - Re: Code Green??? Ian Cudlip (Sep 18)
- RE: Code Green??? John Steniger (Sep 18)
- RE: Code Green??? Tim Parker (Sep 18)
  - Re: Code Green??? Ian Cudlip (Sep 18)
- RE: Code Green??? Missaghi, Shawn (Sep 18)
- RE: Code Green??? Dominick, David (Sep 18)
- RE: Code Green??? Patrick Coomans (Sep 18)