http://www.newsbytes.com/news/01/169010.html By Brian McWilliams, Newsbytes RESTON, VIRGINIA, U.S.A., 14 Aug 2001, 1:30 PM CST A server formerly operated by CyberCash, an online payment provider, has been infected by the Code Red II worm, according to several independent reports. Intrusion logs compiled by Dshield.org and MyNetWatchMan.com show that a system located at an Internet address registered to CyberCash has probed at least a dozen other machines in the same Internet address space in recent days using a fingerprint that indicates a Code Red II infection. A spokesperson for First Data Merchant Services, which acquired CyberCash's software business in May after it filed for bankruptcy, confirmed that the server was infected with Code Red II. The infected server, located at the Internet protocol address 126.96.36.199, was used by customers to download First Data's ICVERIFY software, a PC-based payment processing system. According to the spokesperson, the data stored on the infected server was not affected by the worm. By early this afternoon, the infected server, which was running an unpatched version of Microsoft's Internet Information Server (IIS) version 5, was no longer accepting Internet connections while First Data officials dealt with the infection. The main CyberCash Web site, located at a different Internet protocol address, runs the Apache Web server on BSD, a version of Unix. According to a spokesperson for VeriSign, which acquired CyberCash's payment processing business, no CyberCash servers operated by VeriSign were affected by the worm. The infected server attempted to access a file called default.ida on the target machines, followed by dozens of X characters, in an attempt to exploit a buffer overflow bug in Microsoft's IIS server software identified in June. The intrusion in CyberCash's network was first identified and reported to the company by Jay Dyson, an independent security consultant who received one of the scans early today while testing Early Bird, a realtime Code Red intrusion attempt notification utility he has developed. According to a description of Code Red II by the Computer Emergency Response Team (CERT), the worm only infects Windows 2000 servers running IIS 4.0 or 5.0. Once compromised by the worm, systems may relinquish full, system-level control of the machine to intruders. As a result, "compromised systems may be subject to files being altered or destroyed. Denial-of-service conditions may be created for services relying on altered or destroyed files. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites," according to CERT. Last week, following an investigation by Newsbytes, Microsoft confirmed that a number of the servers supporting its MSN Hotmail service were infected with variants of the Code Red Worm. The company has since patched or taken the systems offline. CyberCash is at http://www.cybercash.com The CERT advisory on Code Red II is at http://www.cert.org/incident_notes/IN-2001-09.html Dyson's Earl Bird utility is at http://www.treachery.net/~jdyson/earlybird - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 02:56:56 PDT