FW: Code Red backdoor triggered?

Tue, 18 Sep 2001 07:20:20 -0700 

It seems there may be some unusual network activity today worth noting.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444


-----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 18 September, 2001 10:49
To: [EMAIL PROTECTED]
Subject: RE: Code Red backdoor triggered?


> Heads up. Pay attention to your servers today. I just 
> started detecting a *ton* of these requests. I think it's 
> a follow-up worm programmed to take advantage of the 
> backdoors Code Red dropped on infected computers. Maybe a
> Code Red III?
> 
> -Cameron
> 
> [09/18/2001 09:25:55.136 GMT-0400] Connection: 
> dhcp181.onewebsystems.com
> (130.205.102.181) on port 80 (tcp).
> [09/18/2001 09:25:55.166 GMT-0400] GET 
> /scripts/root.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close

After a more careful reading, I don't think this is an attack at all. I
think it's worse than an attack.

The GET request doesn't do anything except run the DOS dir command using the
command processor. But, if a server responds with an HTTP 200 status code,
this indicates that the server is vulnerable to running cmd.exe through the
web server.

So, my guess is that this is a vulnerability scan. Once a list of vulnerable
servers is compiled, a real attack would take much less time than a Code
Red-style attack, since you could build the list of vulnerable servers into
the attack code!

This idea has been discussed a bit in the last month or so - it's called a
"Warhol" worm, the idea being that an attack might cover the mass of
vulnerable machines in fifteen minutes. Here's a URL to the article:

http://hacktivism.openflows.org/article.pl?sid=01/08/13/1237245&mode=nocomme
nt&threshold=

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
----------------------------------------------------------------------------
----
Control your subscriptions to ACFUG lists via the ACFUG website at
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to