Hi All, I've been getting slammed with Subseven attempts in the past 24 hours. Again they are almost all from Asia (APNIC) and most of the ones I've traced so far have been in Korea. Since it is Subseven, I wouldn't imagine they'd be spoofed so I think it is safe to say there is something weird going on in Asia. Michael Fredericks Manager - Networks and Telecommunications InfoSol, Inc. mfredericksat_private http://www.infosol.com/ -----Original Message----- From: Graham, Randy (RAW) [mailto:RAWat_private] Sent: Thursday, July 11, 2002 12:56 PM To: Curley Mr Eric P; incidentsat_private Subject: RE: Code Red and other anomalous activity from 1433 Seeing about 24 hours worth of traffic here. Started a little before 8:00 yesterday morning. Last we saw of it was around 6:30 today (at least, the last my internal snort sensor picked up - not sure if the firewall guys have just blocked it or if it has stopped). Randy Graham -- Recursion (ri-'k&r-zh&n) [noun] - See: Recursion > -----Original Message----- > From: Curley Mr Eric P [mailto:CurleyEPat_private] > Sent: Thursday, July 11, 2002 10:26 AM > To: incidentsat_private > Subject: Code Red and other anomalous activity from 1433 > > > Has anybody else been getting slammed by Code Red activity > today? It seems > to be coming from mostly Asian blocks but there are some other blocks > thrown in there as well. Then again it could all be spoofed > and could be > coming from the 12 year old down the street..Thrown into all > this traffic > I'm also seeing a lot of Dest ports with 1433; Possibly that > SQL stuff that > happened last month..anywho, just wanted to know if anybody else was > experiencing this. > > Cheers, > Eric > > -----Original Message----- > From: H C [mailto:keydet89at_private] > Sent: Wednesday, July 10, 2002 1:40 PM > To: Pavel Kankovsky; incidentsat_private > Subject: RE: TCP port 139 probes > > > > > Having done a superficial examination > > of system directories on those machines (they had a > > publicly accesible > > share, ergo I was invited, wasn't I? <g>) > > Uh...no, you weren't. Just b/c a share is publicly > accessible, does NOT, in fact, mean that you were > invited. This is simply the age-old rhetoric used to > justify malicious actions. While many admins have > said that they would be very happy to be told by an > outsider that they had a vulnerable machine, to date > not a single one has said that they'd be happy to have > that person access the machine via some vulnerability > and take files. > > > I downloaded 3 of them and they all seem to be > > compressed executables > > As with your previous posts, this one is incredibly > vague and lacking in any useful information. > Compresses with what? PKZip? UPX? What version? > Did you uncompress the files? > > > having a common prefix, > > If you're referring to the first couple of bytes of > the file, "MZ" is the common prefix for executables on > Windows systems. > > > and there are some fragments > > of strings ("rom", > > "y smt", ") with", "ESM", "Mime-", "-Typ", "quit" > > etc) in that common > > prefix suggesting there is some SMTP implementation > > there--presumably > > some kind of malware able to spread via email. > > Did you run strings on the compressed or uncompressed > file? > > > But I did not find anything similar on other > > machines I examined. > > Interesting how you've posted to a public list, > basically stating that while you refuse to do any > testing on your end to verify that the activity you're > seeing is a worm (in your own words to me via email, > you're "too lazy"), you're more than willing to access > vulnerable systems and take files... > > > __________________________________________________ > Do You Yahoo!? > Sign up for SBC Yahoo! Dial - First Month Free > http://sbc.yahoo.com > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 18:28:32 PDT