Snort mailing list archives
Re: CODE RED III
From: Mike Baptiste <mike () baptistefamily net>
Date: Fri, 10 Aug 2001 15:06:15 -0400
I'm a tad skeptical on this one, though I may be proved wrong.No info on this exists anywhere beyond cnet that I've seen. (/. has a thread going - no new info there either) incidents.securityfocus mailing list is pretty quiet. And regarding a 'wider' backdoor - I mean how much wider can it get? Code Red II left a heck of a back door. Even if you wiped out root.exe in scripts and /msadc (which ran with guest permissions it seems), the compromised explorer.exe provides virtual drives you can access, so telnetting to port 80 and doing:
GET /c/winnt/system32/cmd.exe?command_to_run works just fine.So thats a pretty big hole. But maybe this one drops more holes that are harder to find.
What kills me is how many people who got 0wn3d I've heard saying they just wiped out file x, y, and z and ran Sarc's cleaning tool and their happy. When I tell them 'Gee, since your server was probing people all over the world with your IP saying here I am with a gaping hole, are you sure nobody got in and compromised other stuff? They turn ashen and then I ask why they didn't just reformat and start over from a backup. ("backup? of the system directory?" :) )
LOL. Anyway, we'll soon see if Code Red III is real or not :) Mike Mark Spieth wrote:
FYI.....Code Red III detected in South Korea August 10, 2001, 6:10 a.m. PT http://news.cnet.com/news/0-1003-200-6835996.html?tag=st.ne.1003.saslnk. sasemlA third, more dangerous variant of the Code Red computer worm has been discovered, South Korea's Information and Communication Ministry says._______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring), (continued)
- RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring) Franki (Aug 08)
- RE: FAQ 10/100 Hubs Block Other Speed Traffic Erek Adams (Aug 08)
- RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring) Rich Adamson (Aug 08)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring) Ramin Alidousti (Aug 08)
- RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) Jason (Aug 08)
- RE: RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) James Friesen (Aug 09)
- RE: RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) James Friesen (Aug 10)
- Question? James Friesen (Aug 10)
- Re: Question? Jed Pickel (Aug 10)
- CODE RED III Mark Spieth (Aug 10)
- Re: CODE RED III Mike Baptiste (Aug 10)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) Jim Hankins (Aug 08)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic stefmit (Aug 08)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic Murphy (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Dragos Ruiu (Aug 09)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Larry E. Smith Jr. (Aug 09)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Jeff Ito (Aug 09)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Larry E. Smith Jr. (Aug 09)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic Erek Adams (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Larry E. Smith Jr. (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Rich Adamson (Aug 08)