From owner-freebsd-isp  Thu Sep 20 11: 6:49 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5])
	by hub.freebsd.org (Postfix) with ESMTP id 195F337B40B
	for <freebsd-isp@FreeBSD.ORG>; Thu, 20 Sep 2001 11:06:42 -0700 (PDT)
Received: from hades.hell.gr (patr530-b027.otenet.gr [195.167.121.155])
	by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f8KI6bS25328;
	Thu, 20 Sep 2001 21:06:37 +0300 (EEST)
Received: (from charon@localhost)
	by hades.hell.gr (8.11.6/8.11.6) id f8KHdBr23542;
	Thu, 20 Sep 2001 20:39:11 +0300 (EEST)
	(envelope-from charon@labs.gr)
Date: Thu, 20 Sep 2001 20:39:11 +0300
From: Giorgos Keramidas <charon@labs.gr>
To: "Gary D. Margiotta" <gary@tbe.net>
Cc: freebsd-isp@FreeBSD.ORG
Subject: Re: Code Red?!
Message-ID: <20010920203911.A23424@hades.hell.gr>
References: <3.0.6.32.20010918131041.41301100@mail.seidata.com> <Pine.BSF.4.21.0109181410470.4810-100000@thud.tbe.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0109181410470.4810-100000@thud.tbe.net>
User-Agent: Mutt/1.3.22.1i
X-GPG-Fingerprint: DB89 935F 85FC B995 91CA  4AEA 9F1D F31A C6B2 F5FC
X-URL: http://labs.gr/~charon/
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

Gary D. Margiotta <gary@tbe.net> wrote:
> 
> In addition, we just got word from one of our offices that there is
> another happy joy M$ Outlook-based e-mail attachement worm which goes
> through the address book, spams everyone in it and shares out the C: drive
> for unrestricted sharing.

True.  Going through apache logs, I could find the IP addresses of a few
Windows 98 machines, many Windows NT workstation/server machines, and several
Windows 2000 boxes too.  Having only recently installed Samba for accessing
the files on a Windows box, I tried a few of them with:

	% smbclient //ip.addr.of.host/c\$ -N

A surprisingly large number of these machines allowed me in.  At least half of
them had recently modified files in either C:\Inetpub\wwwroot or (depending on
actual installation of IIS) on D:\Inetpub\wwwroot -- read ``recently
modified'' as ``recently defaced sites''.

Four of them had cdroms with backups still mounted on one of their drives.

Blech.  Am appaled to find out how many of the sites that `attack' my box have
already been victims of kiddies who are turning this new Windows trojan in a
deface-the-world party.

- giorgos

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message