Odd Apache Log Entry... Code red? ... And how to shutdown an infected box.
Brian Densmore
DensmoreB at ctbsonline.com
Thu Aug 9 14:07:59 CDT 2001
> -----Original Message-----
> From: Steven L. Brendtro [mailto:sbrendtro at home.com]
>
>
> Now how about this one... there are several log entries that
> start with:
> "GET /scripts/..%c1%9c../winnt/system32/cmd.exe... - 404"
> followed by several hundred lines of binary looking garbage:
> ";øv?FÈ<NÈ+Á?E"
>
> I read somewhere that the cmd.exe is part of Code Red's
> attack. Does anyone
> know what exactly is all the binary garbage I am getting in
> my log files?
That doesn't look familiar to what I have been reading. It looks more like
someone trying to exploit infected machines. Probably some "script kiddie"
who didn't do his/her homework. Or it could be Code Red III, the newer more
improved version?
Code red makes Trojan copies of the cmd.exe and makes them "world
readable/executable" with "administrator" rights.
> -----Original Message-----
> From: Charles Steinkuehler [mailto:charles at steinkuehler.net]
>
>shutdown /L /Y /C
>
>Apparently, however, this undocumented command has been changed (removed)
>for 2K. Anyone know how to do something similar in 2K?
How about "cmd.exe format /X c:"
/X forces a dismount and closes all file handles before formatting (if
necessary)
[CERT recommends a format and reinstall for infected systems anyway]
;')>
Brian
More information about the Kclug
mailing list