[ISN] CyberCash Server Hit By Code Red II

From: InfoSec News (isnat_private)
Date: Wed Aug 15 2001 - 00:48:08 PDT

  • Next message: InfoSec News: "[ISN] Man arrested in Britain in hacking case"

    By Brian McWilliams, Newsbytes
    14 Aug 2001, 1:30 PM CST
    A server formerly operated by CyberCash, an online payment provider,
    has been infected by the Code Red II worm, according to several
    independent reports.
    Intrusion logs compiled by Dshield.org and MyNetWatchMan.com show that
    a system located at an Internet address registered to CyberCash has
    probed at least a dozen other machines in the same Internet address
    space in recent days using a fingerprint that indicates a Code Red II
    A spokesperson for First Data Merchant Services, which acquired
    CyberCash's software business in May after it filed for bankruptcy,
    confirmed that the server was infected with Code Red II.
    The infected server, located at the Internet protocol address, was used by customers to download First Data's ICVERIFY
    software, a PC-based payment processing system. According to the
    spokesperson, the data stored on the infected server was not affected
    by the worm.
    By early this afternoon, the infected server, which was running an
    unpatched version of Microsoft's Internet Information Server (IIS)
    version 5, was no longer accepting Internet connections while First
    Data officials dealt with the infection.
    The main CyberCash Web site, located at a different Internet protocol
    address, runs the Apache Web server on BSD, a version of Unix.
    According to a spokesperson for VeriSign, which acquired CyberCash's
    payment processing business, no CyberCash servers operated by VeriSign
    were affected by the worm.
    The infected server attempted to access a file called default.ida on
    the target machines, followed by dozens of X characters, in an attempt
    to exploit a buffer overflow bug in Microsoft's IIS server software
    identified in June.
    The intrusion in CyberCash's network was first identified and reported
    to the company by Jay Dyson, an independent security consultant who
    received one of the scans early today while testing Early Bird, a
    realtime Code Red intrusion attempt notification utility he has
    According to a description of Code Red II by the Computer Emergency
    Response Team (CERT), the worm only infects Windows 2000 servers
    running IIS 4.0 or 5.0. Once compromised by the worm, systems may
    relinquish full, system-level control of the machine to intruders. As
    a result, "compromised systems may be subject to files being altered
    or destroyed. Denial-of-service conditions may be created for services
    relying on altered or destroyed files. Hosts that have been
    compromised are also at high risk for being party to attacks on other
    Internet sites," according to CERT.
    Last week, following an investigation by Newsbytes, Microsoft
    confirmed that a number of the servers supporting its MSN Hotmail
    service were infected with variants of the Code Red Worm. The company
    has since patched or taken the systems offline.
    CyberCash is at http://www.cybercash.com
    The CERT advisory on Code Red II is at
    Dyson's Earl Bird utility is at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 02:56:56 PDT