[Snort-users] Code Green???

Missaghi, Shawn Shawn.Missaghi at ...1955...
Tue Sep 18 13:37:03 EDT 2001


This is the preliminary information known at this time
Symantec has received a number of submissions and has assessed this as a
level 4 threat rating.

There is a new mass-mailing worm that utilizes email to propagate itself.
The threat arrives as readme.exe in an email. 

In addition, the worm sends out probes to IIS servers attempting to spread
by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm.
Compromised servers may display a webpage prompting a visitor to download an
Outlook file which contains the worm as an attachment.

Also, the worm will create an open network share allowing access to the
system. The worm will also attempt to spread via open network shares.
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@...3071...

Increase in Port 80 (HTTP) scanning activity
This morning (September 18th) the CERT/CC started receiving reports of a
massive increase in scanning directed at port 80 (HTTP). Reports indicate
that this scanning activity is attempting to exploit systems previously
compromised by Code Red II and/or the sadmind/IIS worm as well as other
known vulnerabilities in Microsoft Internet Information Server (IIS). Please
see CERT Vulnerability Note VU#111677
<http://www.kb.cert.org/vuls/id/111677> for information on the type of
vulnerability being exploited.
The following is a log excerpt of this scanning activity: 
GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy
stem32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
The CERT/CC has also received reports of a possibly new piece of malicious
code named "readme.exe" being sent via email. Preliminary analysis indicates
that this file may be related to the increase in port 80 scanning activity. 
Sites are encouraged to verify the state of security patches on all IIS
servers and email client software. Administrators may also want to add
filters to mail servers to block the "readme.exe" attachment. In addition,
sites may wish to notify users of the existence of "readme.exe" and its
potential threat. 

-----Original Message-----
From: Ian Cudlip [mailto:ian at ...3488...]
Sent: Tuesday, September 18, 2001 1:56 PM
To: Steve Halligan; 'richard'; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Code Green???


I've had it infect machines patched for code red, but not patched with the
ms 
sec. roll-up.

Ian.

On Tuesday 18 September 2001  5:34 pm, Steve Halligan wrote:
> > This infected our previously patched for code red, winnt and win2k
> > systems.. One of them i even fixed yesterday and put Microsofts
> > CodeRedCleanup tool on it. It is placing the root.exe file on the hard
> > drive.
>
> Can anyone verify that this is infecting IIS server patched to current
> levels?
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

============================================================================================
NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient.  Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited.  If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

==============================================================================





More information about the Snort-users mailing list