Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Code Red

0 views
Skip to first unread message

Terry

unread,
Sep 19, 2001, 6:47:42 PM9/19/01
to
My adsl connection (static ip) running WinNT SBS is being hammered yesterday
and all day today by Code Red. Apparently the infected computers are within
the PacBell network. Any idea who to report this to?

-Terry
Here is an example of the log:
05:20:38 63.87.235.100 GET /scripts/..チ ../winnt/system32/cmd.exe 401
05:20:39 63.87.235.100 GET /scripts/winnt/system32/cmd.exe 401
05:20:39 63.87.235.100 GET /scripts/../../winnt/system32/cmd.exe 401
05:20:39 63.87.235.100 GET /scripts/..\../winnt/system32/cmd.exe 401
05:20:39 63.87.235.100 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:20:39 63.87.235.100 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:20:40 63.87.235.100 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:20:40 63.87.235.100 GET /scripts/..%2f../winnt/system32/cmd.exe 401
05:42:21 63.196.2.134 GET /scripts/root.exe 401
05:42:21 63.196.2.134 GET /MSADC/root.exe 401
05:42:21 63.196.2.134 GET /c/winnt/system32/cmd.exe 401
05:42:21 63.196.2.134 GET /d/winnt/system32/cmd.exe 401
05:42:21 63.196.2.134 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:42:21 63.196.2.134 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 401
05:42:21 63.196.2.134 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 401
05:42:22 63.196.2.134 GET
/msadc/..%5c../..%5c../..%5c/..チ ../..チ ../..チ ../winnt/system32/cmd.exe 401
05:42:22 63.196.2.134 GET /scripts/..チ ../winnt/system32/cmd.exe 401
05:42:22 63.196.2.134 GET /scripts/winnt/system32/cmd.exe 401
05:42:22 63.196.2.134 GET /scripts/../../winnt/system32/cmd.exe 401
05:42:22 63.196.2.134 GET /scripts/..\../winnt/system32/cmd.exe 401
05:42:22 63.196.2.134 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:42:22 63.196.2.134 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:42:22 63.196.2.134 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:42:24 63.196.2.134 GET /scripts/..%2f../winnt/system32/cmd.exe 401
05:43:04 63.116.56.34 GET /scripts/root.exe 401
05:43:04 63.116.56.34 GET /MSADC/root.exe 401
05:43:04 63.116.56.34 GET /c/winnt/system32/cmd.exe 401
05:43:04 63.116.56.34 GET /d/winnt/system32/cmd.exe 401
05:43:05 63.116.56.34 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:43:05 63.116.56.34 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 401
05:43:05 63.116.56.34 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 401
05:43:05 63.116.56.34 GET
/msadc/..%5c../..%5c../..%5c/..チ ../..チ ../..チ ../winnt/system32/cmd.exe 401
05:43:06 63.116.56.34 GET /scripts/..チ ../winnt/system32/cmd.exe 401
05:43:06 63.116.56.34 GET /scripts/winnt/system32/cmd.exe 401
05:43:06 63.116.56.34 GET /scripts/../../winnt/system32/cmd.exe 401
05:43:06 63.116.56.34 GET /scripts/..\../winnt/system32/cmd.exe 401
05:43:07 63.116.56.34 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:43:07 63.116.56.34 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:43:07 63.116.56.34 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:43:07 63.116.56.34 GET /scripts/..%2f../winnt/system32/cmd.exe 401
05:44:13 63.196.73.150 GET /scripts/root.exe 401
05:44:20 63.196.73.150 GET /MSADC/root.exe 401
05:44:26 63.196.73.150 GET /c/winnt/system32/cmd.exe 401
05:44:33 63.196.73.150 GET /d/winnt/system32/cmd.exe 401
05:44:39 63.196.73.150 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:44:45 63.196.73.150 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 401
05:44:51 63.196.73.150 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 401
05:44:55 63.196.2.136 GET /scripts/root.exe 401
05:44:55 63.196.2.136 GET /MSADC/root.exe 401
05:44:55 63.196.2.136 GET /c/winnt/system32/cmd.exe 401
05:44:55 63.196.2.136 GET /d/winnt/system32/cmd.exe 401
05:44:55 63.196.2.136 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:44:55 63.196.2.136 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 401
05:44:55 63.196.2.136 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 401
05:44:56 63.196.2.136 GET
/msadc/..%5c../..%5c../..%5c/..チ ../..チ ../..チ ../winnt/system32/cmd.exe 401
05:44:56 63.196.2.136 GET /scripts/..チ ../winnt/system32/cmd.exe 401
05:44:56 63.196.2.136 GET /scripts/winnt/system32/cmd.exe 401
05:44:56 63.196.2.136 GET /scripts/../../winnt/system32/cmd.exe 401
05:44:56 63.196.2.136 GET /scripts/..\../winnt/system32/cmd.exe 401
05:44:56 63.196.2.136 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:44:56 63.196.2.136 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:44:57 63.196.2.136 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:44:57 63.196.2.136 GET /scripts/..%2f../winnt/system32/cmd.exe 401
05:44:57 63.196.73.150 GET
/msadc/..%5c../..%5c../..%5c/..チ ../..チ ../..チ ../winnt/system32/cmd.exe 401
05:45:04 63.196.73.150 GET /scripts/..チ ../winnt/system32/cmd.exe 401
05:45:10 63.196.73.150 GET /scripts/winnt/system32/cmd.exe 401
05:45:17 63.196.73.150 GET /scripts/../../winnt/system32/cmd.exe 401
05:45:23 63.196.73.150 GET /scripts/..\../winnt/system32/cmd.exe 401
05:45:30 63.196.73.150 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:45:36 63.196.73.150 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:45:42 63.196.73.150 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:45:49 63.196.73.150 GET /scripts/..%2f../winnt/system32/cmd.exe 401
05:45:59 63.196.73.150 GET /scripts/root.exe 401
05:46:06 63.196.73.150 GET /MSADC/root.exe 401
05:46:11 63.196.73.150 GET /c/winnt/system32/cmd.exe 401
05:46:17 63.196.73.150 GET /d/winnt/system32/cmd.exe 401
05:46:23 63.196.73.150 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:46:30 63.196.73.150 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 401
05:46:36 63.196.73.150 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 401
05:46:42 63.196.73.150 GET
/msadc/..%5c../..%5c../..%5c/..チ ../..チ ../..チ ../winnt/system32/cmd.exe 401
05:46:48 63.196.73.150 GET /scripts/..チ ../winnt/system32/cmd.exe 401
05:46:55 63.196.73.150 GET /scripts/winnt/system32/cmd.exe 401
05:47:02 63.196.73.150 GET /scripts/../../winnt/system32/cmd.exe 401
05:47:08 63.196.73.150 GET /scripts/..\../winnt/system32/cmd.exe 401
05:47:14 63.196.73.150 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:47:20 63.196.73.150 GET /scripts/..S5c../winnt/system32/cmd.exe 401
05:47:27 63.196.73.150 GET /scripts/..%5c../winnt/system32/cmd.exe 401
05:47:41 64.163.122.10 GET /scripts/root.exe 401


Bill

unread,
Sep 21, 2001, 1:10:48 AM9/21/01
to
Hi Terry,

Mine too.

The least these as#hol$ virus writers could do is create their viruses to attack
Microsoft. Then maybe MS would get their act together and quit writing
vulnerable code.

Bill

Ed Subelman

unread,
Sep 21, 2001, 10:38:45 AM9/21/01
to
On Wed, 19 Sep 2001 15:47:42 -0700, "Terry" <tma...@mahertech.com> wrote:
> My adsl connection (static ip) running WinNT SBS is being hammered yesterday
> and all day today by Code Red. Apparently the infected computers are within
> the PacBell network. Any idea who to report this to?
>
> -Terry
> Here is an example of the log:
> 05:20:38 63.87.235.100 GET /scripts/..チ ../winnt/system32/cmd.exe 401
> 05:20:39 63.87.235.100 GET /scripts/winnt/system32/cmd.exe 401
> 05:20:39 63.87.235.100 GET /scripts/../../winnt/system32/cmd.exe 401
> 05:20:39 63.87.235.100 GET /scripts/..\../winnt/system32/cmd.exe 401
> 05:20:39 63.87.235.100 GET /scripts/..S5c../winnt/system32/cmd.exe 401
> 05:20:39 63.87.235.100 GET /scripts/..S5c../winnt/system32/cmd.exe 401
> 05:20:40 63.87.235.100 GET /scripts/..%5c../winnt/system32/cmd.exe 401
> 05:20:40 63.87.235.100 GET /scripts/..%2f../winnt/system32/cmd.exe 401

You are being hit by the "nimda" worm. The Code Red worm's probes contain
"GET /default.ida?XXXXX...." or "GET /default.ida?NNNNNN.....". Not that
this makes it any better.

In my opinion, PacBell (and any other responsible ISP) should disconnect
customers that are generating this sort of traffic. I know they are victims of
the worm, but their systems are generating enough traffic to reduce the
bandwith of all other customers. In addition, the infected systems are now
wide open to everyone on the internet, so PacBell would be doing them
a favor by disconnecting them until they have fixed their system

/E


nitzsche

unread,
Sep 21, 2001, 2:15:14 PM9/21/01
to
I've been getting 3,000 identical attacks a day, all unsuccessful. In my case,
it's rather more like a DOS attack than a worm.

Yet another good reason to not use Microsoft software.

0 new messages