From owner-freebsd-security Mon Aug 20 0:22: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from yossman.com (yossman.com [206.172.46.172]) by hub.freebsd.org (Postfix) with ESMTP id BF11137B412 for ; Mon, 20 Aug 2001 00:22:04 -0700 (PDT) (envelope-from manero@yossman.com) Received: from localhost (manero@localhost) by yossman.com (8.9.3/8.9.3) with ESMTP id DAA22357; Mon, 20 Aug 2001 03:15:30 -0400 (EDT) (envelope-from manero@yossman.com) Date: Mon, 20 Aug 2001 03:15:30 -0400 (EDT) From: Tony Collen To: Alfred Perlstein Cc: Wilko Bulte , "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG Subject: Re: Code Red is from default setup In-Reply-To: <20010820021249.A81307@elvis.mu.org> Message-ID: X-ALL-YOUR-BASE: ARE BELONG TO US MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 20 Aug 2001, Alfred Perlstein wrote: > * Wilko Bulte [010820 01:53] wrote: > > On Mon, Aug 20, 2001 at 08:50:57AM +0200, Carroll, D. (Danny) wrote: > > > > This is *FreeBSD* security, not MickeySoft latest bugs.. > > Agreed. Although it would be amusing to detect default.ida requests > and reply with a similar request the difference being that the reply > one reboots/shuts-down the infected box. > > I'm suprised no one has suggested crafting such a tool. Simple. Just request something like /scripts/root.exe?/c+rundll.exe+user.exe,exitwindows And the box should reboot. You might have to encode the periods and the commas though. -- Anthony Collen manero@manero.org http://manero.org -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message