Results 1 to 7 of 7

Thread: Stop trying to infect me. Is this possible?

  1. #1

    Thread Starter
    Hyperactive Member Al Smith's Avatar
    Join Date
    May 1999
    Location
    Marcellus, MI. USA
    Posts
    330

    Stop trying to infect me. Is this possible?

    Hi,
    Every morning my server logs are filled with dozens of the following:
    2002-04-17 00:08:52 217.83.72.182 - 10.72.64.27 80 GET /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir 401 -
    2002-04-17 00:45:23 12.99.208.230 - 10.72.64.27 80 GET /scripts/root.exe /c+dir 401 -
    2002-04-17 00:45:27 12.99.208.230 - 10.72.64.27 80 GET /MSADC/root.exe /c+dir 403 -
    2002-04-17 00:45:27 12.99.208.230 - 10.72.64.27 80 GET /c/winnt/system32/cmd.exe /c+dir 401 -
    2002-04-17 01:50:10 12.239.52.5 - 10.72.64.27 80 GET /scripts/root.exe /c+dir 401 -
    2002-04-17 01:50:14 12.239.52.5 - 10.72.64.27 80 GET /MSADC/root.exe /c+dir 403 -
    2002-04-17 01:50:14 12.239.52.5 - 10.72.64.27 80 GET /c/winnt/system32/cmd.exe /c+dir 401 -
    2002-04-17 01:50:16 12.239.52.5 - 10.72.64.27 80 GET /d/winnt/system32/cmd.exe /c+dir 401 -
    2002-04-17 01:50:16 12.239.52.5 - 10.72.64.27 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
    2002-04-17 01:50:17 12.239.52.5 - 10.72.64.27 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
    I recognize this as attempts to gain control of my system for some nefarious purpose. I believe the viruses Code-Red and Nimda use this method to infect systems.
    One of the things it looks for is a root.exe in the /scripts or /MSADC folders, neither of which exists on my system.

    Question:
    I was wondering if it would be possible to create a program named root.exe that would:

    1. Send a message to the offending IP telling them to dis-infect their system.
    or
    2. Stopping their web server.
    or
    3. Blowing up their system.

    Any thoughts or comments?

    Thanks,
    Al.
    A computer is a tool, not a toy.

  2. #2
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Just some thoughts, no help....

    Question:
    I was wondering if it would be possible to create a program named root.exe that would:

    1. Send a message to the offending IP telling them to dis-infect their system.
    or
    2. Stopping their web server.
    or
    3. Blowing up their system.
    So you'd be replacing your root.exe? Nimda just wishes to affect these files, create admin shares, and propagate itself.

    I think.....

    1. no.
    2. see above.
    3. see above.

    You could simply send them an email? how come you haven't done that?

    These are just thoughts/comments...

  3. #3

    Thread Starter
    Hyperactive Member Al Smith's Avatar
    Join Date
    May 1999
    Location
    Marcellus, MI. USA
    Posts
    330
    Thanks for the reply.
    I have emailed some of the sites when I can identify them but this is time consuming. I was hoping for some way to automate it.
    I have written a program that extracts the IP addresses from the log files but I can't email directly to these.

    Since my system doesn't have a root.exe in the scripts or MSADC folder, I wouldn't be replacing it. I'd be creating a false root.exe.

    Al.
    A computer is a tool, not a toy.

  4. #4
    Black Cat JoshT's Avatar
    Join Date
    Nov 2000
    Location
    WNY, USA
    Posts
    4,032
    It looks like scans by computers already infected by Nimda or Code Red - chances are the admins of these servers are pretty clueless. Anyway, if your server has been secured, its really just an annoyance in your log files.

    Also, I think attempting to send any thing would just make your server less secure.
    Josh
    Get these: Mozilla Opera OpenBSD
    I have books for sale: "MCSD in a Nutshell" and "VB Distributed Exam Cram" - PM me for details. Will also trade for a decent ATX Pentium 2 MB/CPU/RAM combo.

  5. #5
    joan_fl
    Guest
    I had this problem awhile back... Apply all of microsoft security patches.. then buy norton antivirus. I dont have any problems any more.

  6. #6
    Frenzied Member blindlizard's Avatar
    Join Date
    Feb 2001
    Location
    Austin, TX - United States of America
    Posts
    1,141
    joan is correct. We had that same attack on our web servers. Once we install the lastest patches it went away. It is just a simple buffer overflow attack.
    I drink to make other people more interesting!
    [vbcode]On Error GoTo Bar[/vbcode]
    http://www.monsterlizard.com

  7. #7
    Black Cat JoshT's Avatar
    Join Date
    Nov 2000
    Location
    WNY, USA
    Posts
    4,032
    You will still see the failed attacks in your server logs, regardless if you use IIS, Apache, etc. As long as you're logging failed attacks, you're fine. Applying patches will prevent the attacks from working, but it will not stop the attackers from trying.
    Josh
    Get these: Mozilla Opera OpenBSD
    I have books for sale: "MCSD in a Nutshell" and "VB Distributed Exam Cram" - PM me for details. Will also trade for a decent ATX Pentium 2 MB/CPU/RAM combo.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width