[ale] Code Red II!!! Disregard previous reply!!!

SAngell at nan.net SAngell at nan.net
Tue Aug 7 09:27:19 EDT 2001




Doesn't really surprise me. I was only attempting to show that a lot of admins
are taking the threat seriously and trying to patch their systems. However, one
note I forgot to mention yesterday. I ran the patches on all of our  IIS servers
somewhere around June 19. Was supposedly protected! Yesterday when second strand
started rolling around and everyone is saying that if patches were installed
then you are safe this go-round. WRONG!!! I performed a search and found the
root.exe payload sitting on 2 servers at a second locale, that I know were
patched but were not protected by my IDS here at my office. They were promptly
relocated!


So patch may not actually be as fool proof as MS would lead you to believe.


Steve Angell,  MCSE, CCNA
MIS Operations Manager
TSYS Total Debt Management
Phone 770-409-5570
Fax      770-416-1752


|--------+------------------------>
|        |          Jonathan      |
|        |          Rickman       |
|        |          <jonathan at xcor|
|        |          ps.net>       |
|        |                        |
|        |          08/07/01 09:13|
|        |          AM            |
|        |                        |
|--------+------------------------>
  >--------------------------------------------------------|
  |                                                        |
  |      To:     ale at ale.org                               |
  |      cc:     (bcc: Steve Angell/tdm)                   |
  |      Subject:     Re: [ale] Code Red II!!! Disregard   |
  |       previous reply!!!                                |
  >--------------------------------------------------------|





On Tue, 7 Aug 2001 SAngell at nan.net wrote:

> I think you are correct. Microsoft reported that the patches to correct the
> vulnerability in Index Server was downloaded over 1 million times since June
18,
> 2001. Seeing that you have to wonder if there is any other objective by future
> attacks other than to absorb bandwidth.

Don't even get me started. Microsoft has put an incredible spin on this whole
thing, making themselves out to be the Knight in Shining armor riding in to save
the day with their hotfix. Here's one for you...

64.4.1.40 - - [06/Aug/2001:05:03:54 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u685
8%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 1442 "-" "-"

MS Hotmail (NETBLK-HOTMAIL)
   1065 La Avenida
   Mountain View, CA 94043
   US

   Netname: HOTMAIL
   Netblock: 64.4.0.0 - 64.4.63.255

   Coordinator:
      Myers, Michael  (MM520-ARIN)  icon at HOTMAIL.COM
      650-693-7072

   Domain System inverse mapping provided by:

   NS1.HOTMAIL.COM              216.200.206.140
   NS3.HOTMAIL.COM              209.185.130.68

   Record last updated on 09-Jan-2001.
   Database last updated on 6-Aug-2001 23:07:48 EDT.

OOPS...looks like that patch isn't as widely distributed as MS is telling
everyone. They missed one themselves...actually, they missed several but I dont
want to turn ALE into a CRII log forum.

--
Jonathan Rickman
X Corps Security
http://www.xcorps.net

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.



--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list