[lug] possible intrusion
Harris, James
James_Harris at maxtor.com
Fri Jul 20 10:33:07 MDT 2001
It is the Code Red Worm. See http://www.cert.org/advisories/CA-2001-19.html
-----Original Message-----
From: Greg Horne [mailto:jeerygh at hotmail.com]
Sent: Friday, July 20, 2001 10:19
To: lug at lug.boulder.co.us
Subject: Re: [lug] possible intrusion
This morning when I was reading the mail about the possible intrusion and as
I was going through my server logs (Apapche on linux) and noticed about 30
IP's had tried the exact same thing on my server (NNNNNNNN's and all :)). I
thought it was particularly funny because my company is kind of small and
interesting things like this happening to us :) We do have one NT server,
so I'll be looking for any patches. Has anybody already found specific
packages?
Greg Horne
>From: Deva Samartha <blug-receive at mtbwr.net>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] possible intrusion
>Date: Thu, 19 Jul 2001 13:21:04 -0600
>
>Looks like they are not getting in - unless they get in, deliver a
>gift and then go on - this I have not checked yet since I am not
>able to identify the shell/buffercode yet. The package would have been
>overwritten 30 x or so, by now.
>
>The incoming data is 4 .. 10 k in packets and outgoing it's
>anywhere from 50 .. 100 k response of the server. They connect
>once and are never seen again. All happens within seconds.
>
>Maybe they are picking something up?
>
>I checked into one source and there I could overwrite the
>IP number of the router with a wide open web interface, look at
>connection times etc.
>(I have not actually checked, if a different IP would have
>been accepted, but the web interface was there and accessible ;-)
>So, with this background - one can assume the system/LAN was compromised.
>I was unable to contact the party.
>
>Apache just gives out an error message:
>"Client sent malformed Host header"
> and give the 300 byte long NNNN code message in the log
>
>I will email to security focus as suggested, because if nobody else
>sees this kind of traffic, I could be compromised :-(
>
>
>Thank you,
>
>Samartha
>
>>This may be of interest:
>>http://www.astalavista.com/exploits/iis/buffer2.shtml
>>http://www.eeye.com/html/Research/Advisories/AD20010618.html
>>http://www.bhs.silesianet.pl/html/overflow_in_6.0.htm
>>
>>
>>My guess is they are looking for MS IIS servers to root. If you are
>>running any MS machines there with unpatched web server, they are
>>probably gone.
>>
>>D. Stimits, stimits at idcomm.com
>>_______________________________________________
>>Web Page: http://lug.boulder.co.us
>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
>_______________________________________________
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
_______________________________________________
Web Page: http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list