I just nbtstat 'd this guys DSL. I winpopped him to let him know his IIS box is open. C:\>net send 64.173.141.242 you're wide open Patch your machine! The message was successfully sent to 64.173.141.242 C:\>net send 64.173.141.242 The Chinese Worm is scanning from your box. The message was successfully sent to 64.173.141.242. Looks like some guy teaching a class...I can map a drive to his C$ as well... sad..sad...sad.... C:\>nbtstat -A 64.173.141.242 Local Area Connection: Node IpAddress: [10.3.21.59] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- INSTRUCTOR <00> UNIQUE Registered TRAINING <00> GROUP Registered INSTRUCTOR <20> UNIQUE Registered TRAINING <1E> GROUP Registered INSTRUCTOR <03> UNIQUE Registered INet~Services <1C> GROUP Registered IS~INSTRUCTOR..<00> UNIQUE Registered TRAINING <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered DUNCANC <03> UNIQUE Registered MAC Address = 00-10-5A-29-E2-19 -----Original Message----- From: Jonathan Rickman [mailto:jonathanat_private] Sent: Wednesday, August 01, 2001 9:52 AM To: abuseat_private Cc: incidentsat_private Subject: Code Red Scan Please take the following information for action... Log entry from www.xcorps.net: ============================== 64.173.141.242 - - [01/Aug/2001:12:43:49 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u780 1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078% u0000%u00=a HTTP/1.0" 400 252 ============================== Offender: ========= adsl-64-173-141-242.dsl.snfc21.pacbell.net ========= Information on the Code Red Worm can be obtained by sending email to: code-redat_private Thank you for your prompt attention to this matter... -- Jonathan Rickman X Corps Security http://www.xcorps.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 10:42:45 PDT