Seeing about 24 hours worth of traffic here. Started a little before 8:00 yesterday morning. Last we saw of it was around 6:30 today (at least, the last my internal snort sensor picked up - not sure if the firewall guys have just blocked it or if it has stopped). Randy Graham -- Recursion (ri-'k&r-zh&n) [noun] - See: Recursion > -----Original Message----- > From: Curley Mr Eric P [mailto:CurleyEPat_private] > Sent: Thursday, July 11, 2002 10:26 AM > To: incidentsat_private > Subject: Code Red and other anomalous activity from 1433 > > > Has anybody else been getting slammed by Code Red activity > today? It seems > to be coming from mostly Asian blocks but there are some other blocks > thrown in there as well. Then again it could all be spoofed > and could be > coming from the 12 year old down the street..Thrown into all > this traffic > I'm also seeing a lot of Dest ports with 1433; Possibly that > SQL stuff that > happened last month..anywho, just wanted to know if anybody else was > experiencing this. > > Cheers, > Eric > > -----Original Message----- > From: H C [mailto:keydet89at_private] > Sent: Wednesday, July 10, 2002 1:40 PM > To: Pavel Kankovsky; incidentsat_private > Subject: RE: TCP port 139 probes > > > > > Having done a superficial examination > > of system directories on those machines (they had a > > publicly accesible > > share, ergo I was invited, wasn't I? <g>) > > Uh...no, you weren't. Just b/c a share is publicly > accessible, does NOT, in fact, mean that you were > invited. This is simply the age-old rhetoric used to > justify malicious actions. While many admins have > said that they would be very happy to be told by an > outsider that they had a vulnerable machine, to date > not a single one has said that they'd be happy to have > that person access the machine via some vulnerability > and take files. > > > I downloaded 3 of them and they all seem to be > > compressed executables > > As with your previous posts, this one is incredibly > vague and lacking in any useful information. > Compresses with what? PKZip? UPX? What version? > Did you uncompress the files? > > > having a common prefix, > > If you're referring to the first couple of bytes of > the file, "MZ" is the common prefix for executables on > Windows systems. > > > and there are some fragments > > of strings ("rom", > > "y smt", ") with", "ESM", "Mime-", "-Typ", "quit" > > etc) in that common > > prefix suggesting there is some SMTP implementation > > there--presumably > > some kind of malware able to spread via email. > > Did you run strings on the compressed or uncompressed > file? > > > But I did not find anything similar on other > > machines I examined. > > Interesting how you've posted to a public list, > basically stating that while you refuse to do any > testing on your end to verify that the activity you're > seeing is a worm (in your own words to me via email, > you're "too lazy"), you're more than willing to access > vulnerable systems and take files... > > > __________________________________________________ > Do You Yahoo!? > Sign up for SBC Yahoo! Dial - First Month Free > http://sbc.yahoo.com > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 14:47:48 PDT