[lug] possible intrusion
Greg Horne
jeerygh at hotmail.com
Fri Jul 20 12:42:10 MDT 2001
Oh I knew that, thanks for the reply though. I just thought it was humorous
that my company was hit. Random seeded IP's though, so I guess we all had a
pretty good chance of getting hit :)
Greg Horne
>From: "Harris, James" <James_Harris at maxtor.com>
>Reply-To: lug at lug.boulder.co.us
>To: "'lug at lug.boulder.co.us'" <lug at lug.boulder.co.us>
>Subject: RE: [lug] possible intrusion
>Date: Fri, 20 Jul 2001 10:33:07 -0600
>
>It is the Code Red Worm. See
>http://www.cert.org/advisories/CA-2001-19.html
>
>-----Original Message-----
>From: Greg Horne [mailto:jeerygh at hotmail.com]
>Sent: Friday, July 20, 2001 10:19
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] possible intrusion
>
>
>This morning when I was reading the mail about the possible intrusion and
>as
>
>I was going through my server logs (Apapche on linux) and noticed about 30
>IP's had tried the exact same thing on my server (NNNNNNNN's and all :)).
>I
>
>thought it was particularly funny because my company is kind of small and
>interesting things like this happening to us :) We do have one NT server,
>so I'll be looking for any patches. Has anybody already found specific
>packages?
>
>Greg Horne
>
> >From: Deva Samartha <blug-receive at mtbwr.net>
> >Reply-To: lug at lug.boulder.co.us
> >To: lug at lug.boulder.co.us
> >Subject: Re: [lug] possible intrusion
> >Date: Thu, 19 Jul 2001 13:21:04 -0600
> >
> >Looks like they are not getting in - unless they get in, deliver a
> >gift and then go on - this I have not checked yet since I am not
> >able to identify the shell/buffercode yet. The package would have been
> >overwritten 30 x or so, by now.
> >
> >The incoming data is 4 .. 10 k in packets and outgoing it's
> >anywhere from 50 .. 100 k response of the server. They connect
> >once and are never seen again. All happens within seconds.
> >
> >Maybe they are picking something up?
> >
> >I checked into one source and there I could overwrite the
> >IP number of the router with a wide open web interface, look at
> >connection times etc.
> >(I have not actually checked, if a different IP would have
> >been accepted, but the web interface was there and accessible ;-)
> >So, with this background - one can assume the system/LAN was compromised.
> >I was unable to contact the party.
> >
> >Apache just gives out an error message:
> >"Client sent malformed Host header"
> > and give the 300 byte long NNNN code message in the log
> >
> >I will email to security focus as suggested, because if nobody else
> >sees this kind of traffic, I could be compromised :-(
> >
> >
> >Thank you,
> >
> >Samartha
> >
> >>This may be of interest:
> >>http://www.astalavista.com/exploits/iis/buffer2.shtml
> >>http://www.eeye.com/html/Research/Advisories/AD20010618.html
> >>http://www.bhs.silesianet.pl/html/overflow_in_6.0.htm
> >>
> >>
> >>My guess is they are looking for MS IIS servers to root. If you are
> >>running any MS machines there with unpatched web server, they are
> >>probably gone.
> >>
> >>D. Stimits, stimits at idcomm.com
> >>_______________________________________________
> >>Web Page: http://lug.boulder.co.us
> >>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> >_______________________________________________
> >Web Page: http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>_______________________________________________
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>_______________________________________________
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
More information about the LUG
mailing list