cmd.exe root.exe in apache logs


Subject: cmd.exe root.exe in apache logs
From: FeLoNiouS MoNK (codered@gci.net)
Date: Tue Apr 09 2002 - 21:02:40 AKDT


ok all .. if you see the lines in your log files...

/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" $ blahblah
....and so on wit root and cmd.exe ..

     then you are just gettin hit by the CodeRED that infected someone elses computer... people had been thinkin that it was someone actually sittin at a terminal scannin and tryin to run scripts .. aka script kiddies.. but no .. its not.. the nice thing to do is to email the root of whatever ip its coming from to let them know that they are infected wit codered .. but considering its a winblowz virri there prolly is no root .. hehe .. unf! .. anywayz this thing takes over a winbox and sets up shop .. and it works like what this guy shadowknight did a while ago .. he used to make rootkits that would root boxes and make them root other boxes and so on down the line .. he's in prison now.. *shrug* .. anywayz ..

THa_FeLoN_MoNK aka Codered@gci.net...

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.



This archive was generated by hypermail 2a23 : Tue Apr 09 2002 - 21:01:51 AKDT