[svlug] scripts/root.exe, etc

Walter Reed wreed at hubinternet.com
Thu Nov 29 08:18:02 PST 2001


On Thu, Nov 29, 2001 at 05:20:53AM -0500, S wrote:
> Hi,
> My apache logs has lots of the following stuff:
> 203.64.47.241 - - [19/Nov/2001:04:01:19 +0530] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
> 203.64.47.241 - - [19/Nov/2001:04:01:20 +0530] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274 "-" "-"
> 203.64.47.241 - - [19/Nov/2001:04:01:22 +0530] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284 "-" "-"
> 203.64.47.241 - - [19/Nov/2001:04:01:26 +0530] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284 "-" "-"
> 203.64.47.241 - - [19/Nov/2001:04:01:31 +0530] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-" "-
> "
> 
> from google, i found out this is some code red virus.
> Should I worry about this ?
> Can I do something to stop this ?
> I am on RH71.

One person on Bugtraq posted a script that would firewall a machine that was
issuing these probes, but others pointed out that this could be use to deny
proxy users access to your site by issuing fake probes thus getting the proxy
blocked.

It would be nice if you could launch a retaliatory attack back that would
disable the attacker, but I believe this has some legal issues. With the new
anti-terrorism laws, I don't know if I would want to even try this for academic
purposes (Free speech? What free speech? There's that "chilling" effect again.)

>From a "self defense" point of view, my personal feeling is that it should be
legal, but IANAL.

Bottom line is that code red is annoying, but totally harmless to you (other than
eating up your bandwidth...)

Honestly, I don't understand why ISP's are not taking a more proactive approach
here.  With flat rate bandwidth (most customers), they lose money due to code
red type worms. Most of the code red attacks I've seen are from home machines
on cable / DSL.





More information about the svlug mailing list