RE: Code Red Scan

From: Richard Bradford (rbradfordat_private)
Date: Wed Aug 01 2001 - 10:30:53 PDT

Next message: Nicholas Bachmann: "Code Red Scans"

Previous message: Ken Eichman: "Forwarded: 13:00 EDT http scan update from cas.org [CERT#36881]"
Maybe in reply to: Jonathan Rickman: "Code Red Scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just  nbtstat 'd this guys DSL.  I winpopped him to let him know
his IIS box is open.  

C:\>net send 64.173.141.242  you're wide open Patch your machine!
The message was successfully sent to 64.173.141.242

C:\>net send 64.173.141.242 The Chinese Worm is scanning from your box.
The message was successfully sent to 64.173.141.242.

Looks like some guy teaching a class...I can map a drive to his C$
as well... sad..sad...sad....

C:\>nbtstat -A 64.173.141.242

Local Area Connection:
Node IpAddress: [10.3.21.59] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    INSTRUCTOR     <00>  UNIQUE      Registered
    TRAINING       <00>  GROUP       Registered
    INSTRUCTOR     <20>  UNIQUE      Registered
    TRAINING       <1E>  GROUP       Registered
    INSTRUCTOR     <03>  UNIQUE      Registered
    INet~Services  <1C>  GROUP       Registered
    IS~INSTRUCTOR..<00>  UNIQUE      Registered
    TRAINING       <1D>  UNIQUE      Registered
    ..__MSBROWSE__.<01>  GROUP       Registered
    DUNCANC        <03>  UNIQUE      Registered

    MAC Address = 00-10-5A-29-E2-19


-----Original Message-----
From: Jonathan Rickman [mailto:jonathanat_private]
Sent: Wednesday, August 01, 2001 9:52 AM
To: abuseat_private
Cc: incidentsat_private
Subject: Code Red Scan



Please take the following information for action...

Log entry from www.xcorps.net:
==============================

64.173.141.242 - - [01/Aug/2001:12:43:49 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u780
1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%
u0000%u00=a HTTP/1.0" 400 252

==============================

Offender:
=========

adsl-64-173-141-242.dsl.snfc21.pacbell.net

=========


Information on the Code Red Worm can be obtained by sending email to:

code-redat_private


Thank you for your prompt attention to this matter...

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nicholas Bachmann: "Code Red Scans"
Previous message: Ken Eichman: "Forwarded: 13:00 EDT http scan update from cas.org [CERT#36881]"
Maybe in reply to: Jonathan Rickman: "Code Red Scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 10:42:45 PDT