Virus azi la 12 noaptea ???

adynis · 31-07-2001, 21:40

Zisera astia la antena 1 ca nu stiu ce virus (ceva .. Red code parca), ca cica la ora 0.00 GMT se activeaza mai pe tot netul?...
e ceva de capul lui?

razvi · 31-07-2001, 22:03

Pentru a afla daca ati fost sau nu infectati, mergeti aici:
http://security1.norton.com/us/crdet...d=us&venid=sym

Quote:

The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000 that run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the file Idq.dll. Information about this vulnerability and a Microsoft patch is located at:

http://www.microsoft.com/technet/sec...n/MS01-033.asp

The worm sends its code as an HTTP request. The HTTP request exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The malicious code is not saved as a file, but is inserted into and then run directly from memory.

Once run, the worm checks for the file C:\Notworm. If this file exists, the worm does not run and the thread goes into an infinite sleep state.

If the file C:\Notworm does not exist, then new threads are created. If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses. To avoid looping back to infect the source computer, the worm will not make HTTP requests to the IP addresses 127.*.*.* .

If the default language of the computer is U.S. English, further threads cause Web pages to appear defaced. First, the thread sleeps two hours and then hooks a function, which responds to HTTP requests. Instead of returning the correct Web page, the worm returns its own HTML code.

The HTML displays:

Welcome to http:// www.worm.com !
Hacked By Chinese!

This hook lasts for 10 hours and is then removed. However, reinfection or other threads can rehook the function.

Two versions of this worm have been seen in the wild. The second version does not cause the webpages to be defaced.

Also, if the date is between the 20th and 28th of the month, the active threads then attempt a Denial of Service attack on a particular IP address by sending large amounts of junk data to port 80 (Web service) of 198.137.240.91, which was www.whitehouse.gov. This IP address has been changed and is no longer active.

Finally, if the date is later than the 28th of the month, the worm's threads are not run, but are directed into an infinite sleep state. This multiple-thread creation can cause computer instability.

Virtual_Fighter · 01-08-2001, 00:20

m-am mai linistit..va sa zica nu e vorba de-o gripa sau mai stiu eu ce molima gen "vacca locco".. e doar pentru sai-turi

PigBrother · 01-08-2001, 03:44

Conform exceptionalelor stiri TVR, Red Code este un : "vierme de pamant" !?!?!

Strangelove · 01-08-2001, 09:56

exe-ul care verifica calc. daca e sau nu vulnerabil la verme e zipat si bagat in attachment (si e curat de virushi & stuff

)

Mr. Grumpy · 01-08-2001, 10:23

si respectivu exe necesita servis pacurile pt 2000 instalate

cu ocazia asta le-am pus si eu ..

bibicu · 01-08-2001, 10:36

Quote:

Originally posted by razvi

Nu numai media romaneasca e plina de cretini. Daca te uitai pe CNN ai fi ajuns la concluzia ca media romaneasca are printre cei mai inteligenti reporteri, chiar daca sint complet paraleli cu ceea ce spun

Oricum pe site la Microsoft exista acest patch de cel putin 2 saptamini (eu atunci l-am luat), dar nimeni nu a zis atunci nimic de asa ceva. Zgomotul asta e mai mult degeaba.

Sint afectati de virus cei ce ruleaza Win2000/WinNT impreuna cu IIS si Index Server. Ceilalti nu. Deci daca ai Win2000/WinNT ca server web atunci poti folosi ca server de web Apache si atunci nu esti afectat de "code red".

Deci cei ce nu au instalat IIS nu au de ce sa isi faca probleme, nu sint afectati de acest vierme.

Leap Attack · 01-08-2001, 11:50

prostia se plateste ... culmea e ca am primit mailuri cu virusul respectiv tocmai de la cei autorizati pt training M$

bibicu · 01-08-2001, 13:53

Quote:

Originally posted by Leap Attack
prostia se plateste ... culmea e ca am primit mailuri cu virusul respectiv tocmai de la cei autorizati pt training M$

Asta ca sa te verifice cit esti de bine pregatit in m$

razvi · 02-08-2001, 03:18

La CNN nu ma uit, ma plictisesc sa vad un autobuz filmat din acelasi unghi 5-6 ore.

Adavarul este ca cine are IIS merita cu virf si indesat sa pateasca astfel de chestii.

deedee · 09-08-2001, 19:31

Asa arata un atac al virusului:

193.144.64.234 - - [09/Aug/2001:19:24:08 +0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 676 "-" "-"

si asta cam la 10 minute de cite 3-4 ori consecutiv....dupa care se potoleste....kestia e ca papa banda si e enervant....mareste logurile...
Si din toata lumea...e ceva de groaza

Sammy[BOFH] · 09-08-2001, 23:30

hehe... sa vezi ce e la mine...
am pus black ice de curiozitate doar...
geez... daca ai vedea cat de des tzipa ca incearca diversi sa acceseze portu' 80...
uite ca nu m-am uitat pe server sa vad ce se intampla...
anyway... linux rulz

Advertisment