Re: Fwd: Massive CMD.EXE and ROOT.EXE scan

From: John Q. Public (tpublicat_private)
Date: Tue Sep 18 2001 - 11:51:35 PDT

Next message: Mark Ng: "RE: New worm? 'readme.eml'"

Previous message: Gary Flynn: "Re: [unisog] Some more details on the worm"
In reply to: Florian Piekert: "Fwd: Massive CMD.EXE and ROOT.EXE scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you're referring to the 127.*.*.* addresses, I belive the code is too dumb
to realize those are loopback, and what you may be seeing are attempts by
itself on an infected host.

Then again, you may be seeing something completely different.

.nhoJ


On Tue, 18 Sep 2001, Florian Piekert wrote:

|Date: Tue, 18 Sep 2001 19:44:33 +0200
|From: Florian Piekert <floppyat_private>
|To: "incidentsat_private" <incidentsat_private>
|Subject: Fwd: Massive CMD.EXE and ROOT.EXE scan
|
|-----BEGIN PGP SIGNED MESSAGE-----
|
|Most of the used IPs seem to be spoofed though 8(
|
|
|- -------
|Hi All,
|
|My IDS indicates that at 9:30 AM EST a new wave of IIS vulnerability
|scanning had started.
|They are looking for /c/winnt/system32/cmd.exe and root.exe, coming mostly
|from American IPs.
|
|Sasha Tulchinskiy
|Aspen Security Team
|
|- ----------------------------------------------------------------------------
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management 
|and tracking system please see: http://aris.securityfocus.com
|
|
|
|===================END FORWARDED MESSAGE===================
|
|
|
|Florian Piekert                floppy@floppy.{de,org,net}
|
|<simply private... need a key? MY PGPP key? eMail me....>
|
|Voice & Fax +1001000010100101011000110110001010110101100
|
|PGP Public Key Fingerprint: 72E9 D42A 51E8 29CA  EE42 6029 5EF6 E9AB
|
|-----BEGIN PGP SIGNATURE-----
|Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.
|
|iQCVAwUBO6d58n4TBaVbilM9AQEx5AQAoFxoSGGGF5z11HhAPjq/0GZNH6pyoUvs
|W9kXW3eTjnjByQKLyANvpxB0q5mPnJRL2g2bLNz6T127+tSuaEmTXb5kBm+eUxU7
|xRX/ANuf6XRNRR2ltBPry+h7Ok7FHWUQd5k56yWEk40ZXRzTra8ZPuAadE8DCttZ
|kH+0lPanm4I=
|=lh7B
|-----END PGP SIGNATURE-----
|
|
|
|----------------------------------------------------------------------------
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management 
|and tracking system please see: http://aris.securityfocus.com
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mark Ng: "RE: New worm? 'readme.eml'"
Previous message: Gary Flynn: "Re: [unisog] Some more details on the worm"
In reply to: Florian Piekert: "Fwd: Massive CMD.EXE and ROOT.EXE scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 13:14:51 PDT