Security Incidents mailing list archives

Re: Fwd: Massive CMD.EXE and ROOT.EXE scan

From: "John Q. Public" <tpublic () dimensional com>
Date: Tue, 18 Sep 2001 12:51:35 -0600 (MDT)

If you're referring to the 127.*.*.* addresses, I belive the code is too dumb
to realize those are loopback, and what you may be seeing are attempts by
itself on an infected host.

Then again, you may be seeing something completely different.

.nhoJ


On Tue, 18 Sep 2001, Florian Piekert wrote:

|Date: Tue, 18 Sep 2001 19:44:33 +0200
|From: Florian Piekert <floppy () floppy org>
|To: "incidents () securityfocus com" <incidents () securityfocus com>
|Subject: Fwd: Massive CMD.EXE and ROOT.EXE scan
|
|-----BEGIN PGP SIGNED MESSAGE-----
|
|Most of the used IPs seem to be spoofed though 8(
|
|
|- -------
|Hi All,
|
|My IDS indicates that at 9:30 AM EST a new wave of IIS vulnerability
|scanning had started.
|They are looking for /c/winnt/system32/cmd.exe and root.exe, coming mostly
|from American IPs.
|
|Sasha Tulchinskiy
|Aspen Security Team
|
|- ----------------------------------------------------------------------------
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management 
|and tracking system please see: http://aris.securityfocus.com
|
|
|
|===================END FORWARDED MESSAGE===================
|
|
|
|Florian Piekert                floppy@floppy.{de,org,net}
|
|<simply private... need a key? MY PGPP key? eMail me....>
|
|Voice & Fax +1001000010100101011000110110001010110101100
|
|PGP Public Key Fingerprint: 72E9 D42A 51E8 29CA  EE42 6029 5EF6 E9AB
|
|-----BEGIN PGP SIGNATURE-----
|Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.
|
|iQCVAwUBO6d58n4TBaVbilM9AQEx5AQAoFxoSGGGF5z11HhAPjq/0GZNH6pyoUvs
|W9kXW3eTjnjByQKLyANvpxB0q5mPnJRL2g2bLNz6T127+tSuaEmTXb5kBm+eUxU7
|xRX/ANuf6XRNRR2ltBPry+h7Ok7FHWUQd5k56yWEk40ZXRzTra8ZPuAadE8DCttZ
|kH+0lPanm4I=
|=lh7B
|-----END PGP SIGNATURE-----
|
|
|
|----------------------------------------------------------------------------
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management 
|and tracking system please see: http://aris.securityfocus.com
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Massive CMD.EXE and ROOT.EXE scan Tulchinskiy, Sasha (Sep 18)
- <Possible follow-ups>
- Fwd: Massive CMD.EXE and ROOT.EXE scan Florian Piekert (Sep 18)
  - Re: Fwd: Massive CMD.EXE and ROOT.EXE scan John Q. Public (Sep 18)