Code Red and other anomalous activity from 1433

From: Curley Mr Eric P (CurleyEPat_private)
Date: Thu Jul 11 2002 - 07:25:53 PDT

  • Next message: Matt Andreko: "RE: Can anyone identify this backdoor?"

    Has anybody else been getting slammed by Code Red activity today?  It seems
    to be coming from mostly Asian blocks  but there are some other blocks
    thrown in there as well.  Then again it could all be spoofed and could be
    coming from the 12 year old down the street..Thrown into all this traffic
    I'm also seeing a lot of Dest ports with 1433; Possibly that SQL stuff that
    happened last month..anywho, just wanted to know if anybody else was
    experiencing this.
    
    Cheers,
    Eric
    
    -----Original Message-----
    From: H C [mailto:keydet89at_private]
    Sent: Wednesday, July 10, 2002 1:40 PM
    To: Pavel Kankovsky; incidentsat_private
    Subject: RE: TCP port 139 probes
    
    
    
    > Having done a superficial examination
    > of system directories on those machines (they had a
    > publicly accesible
    > share, ergo I was invited, wasn't I? <g>) 
    
    Uh...no, you weren't.  Just b/c a share is publicly
    accessible, does NOT, in fact, mean that you were
    invited.  This is simply the age-old rhetoric used to
    justify malicious actions.  While many admins have
    said that they would be very happy to be told by an
    outsider that they had a vulnerable machine, to date
    not a single one has said that they'd be happy to have
    that person access the machine via some vulnerability
    and take files.
    
    > I downloaded 3 of them and they all seem to be
    > compressed executables
    
    As with your previous posts, this one is incredibly
    vague and lacking in any useful information. 
    Compresses with what?  PKZip?  UPX?  What version? 
    Did you uncompress the files?
    
    > having a common prefix, 
    
    If you're referring to the first couple of bytes of
    the file, "MZ" is the common prefix for executables on
    Windows systems.
    
    > and there are some fragments
    > of strings ("rom",
    > "y smt", ") with", "ESM", "Mime-", "-Typ", "quit"
    > etc) in that common
    > prefix suggesting there is some SMTP implementation
    > there--presumably
    > some kind of malware able to spread via email.
    
    Did you run strings on the compressed or uncompressed
    file?  
     
    > But I did not find anything similar on other
    > machines I examined.
    
    Interesting how you've posted to a public list,
    basically stating that while you refuse to do any
    testing on your end to verify that the activity you're
    seeing is a worm (in your own words to me via email,
    you're "too lazy"), you're more than willing to access
    vulnerable systems and take files...
    
    
    __________________________________________________
    Do You Yahoo!?
    Sign up for SBC Yahoo! Dial - First Month Free
    http://sbc.yahoo.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 12:26:19 PDT