Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 20 Sep 2001 20:39:11 +0300
From:      Giorgos Keramidas <charon@labs.gr>
To:        "Gary D. Margiotta" <gary@tbe.net>
Cc:        freebsd-isp@FreeBSD.ORG
Subject:   Re: Code Red?!
Message-ID:  <20010920203911.A23424@hades.hell.gr>
In-Reply-To: <Pine.BSF.4.21.0109181410470.4810-100000@thud.tbe.net>
References:  <3.0.6.32.20010918131041.41301100@mail.seidata.com> <Pine.BSF.4.21.0109181410470.4810-100000@thud.tbe.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Gary D. Margiotta <gary@tbe.net> wrote:
> 
> In addition, we just got word from one of our offices that there is
> another happy joy M$ Outlook-based e-mail attachement worm which goes
> through the address book, spams everyone in it and shares out the C: drive
> for unrestricted sharing.

True.  Going through apache logs, I could find the IP addresses of a few
Windows 98 machines, many Windows NT workstation/server machines, and several
Windows 2000 boxes too.  Having only recently installed Samba for accessing
the files on a Windows box, I tried a few of them with:

	% smbclient //ip.addr.of.host/c\$ -N

A surprisingly large number of these machines allowed me in.  At least half of
them had recently modified files in either C:\Inetpub\wwwroot or (depending on
actual installation of IIS) on D:\Inetpub\wwwroot -- read ``recently
modified'' as ``recently defaced sites''.

Four of them had cdroms with backups still mounted on one of their drives.

Blech.  Am appaled to find out how many of the sites that `attack' my box have
already been victims of kiddies who are turning this new Windows trojan in a
deface-the-world party.

- giorgos

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010920203911.A23424>