Bugtraq mailing list archives
RE: 'Code Red' does not seem to be scanning for IIS
From: Kelly Martin <kellym () fb00 fb org>
Date: Thu, 19 Jul 2001 17:21:06 -0500
Our principal web server (which services some 50-odd virtual domains) has taken over 500 hits from "Code Red" worms since around 10am today. It runs Apache, so it doesn't present a security risk, but it is tending to annoy our already-overloaded network pipe (we have four Class C's squeezed into one T1 line). Prior to today at around 11am there is no record in our logfiles for that server, which go back to 10 July. Our servers all started to see hits at about the same time, around 10 am central time. Two of them, NT 4.0 SP6a systems with IIS 5, died, one repeatedly, before we figured out what was going on. The attacks come from widely variable hosts (no discernable pattern). I've tracked nearly a thousand hits on our IP block in the past six hours or so with none before that, and that doesn't even count the ones that smacked silently against the firewall (port 80 is only open through the firewall to hosts that actually run public web servers, which is only a tiny fraction of the IPs in the block). My cable modem has also started to get hit today, for the first time as far as I know, as has our off-site ecommerce server. I suspect that this is a fresh launch, possibly with a modified code base from the original Red Code worm. Kelly Martin American Farm Bureau Federation
-----Original Message----- From: Mike Brockman [SMTP:phubuh () home se] Sent: Thursday, July 19, 2001 4:33 PM To: bugtraq () securityfocus com Subject: 'Code Red' does not seem to be scanning for IIS From what i read about the 'Code Red'-worm, it was supposed to be scanning for IIS-servers. It obviously is'nt, i believe it tries to infect everything they find on port 80, or something as simple as that. About three to four days ago, i started to get those default.ida-GET's in my Apache-logs. I shut down the server as fast as i could, and checked for outgoing connections from my computer, and then did some research. I was told that it was an IIS-worm, and that it could'nt affect Apache-servers, so i was safe. I turned the server back on, and from that day i have received forty-one attempts. How can this be? Why am i getting so few attempts, if it is as eEye says -- that every worm-instance has the same seed? I should be getting tons and tons of tries, if the worm has been around for this long. Or is it that my IP is high up in the "sequence", and not many comes that far? If that is the case, the number should be increasing fast in the near future, right? I'll come back with a report in a week or so. ________________________________ m'name be mike brockman! jeeh! _ooh,_und_dunt_feed_my_eskimoes_
Current thread:
- 'Code Red' does not seem to be scanning for IIS Mike Brockman (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Marc Maiffret (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Emre Yildirim (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Ethan Butterfield (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS daniel uriah clemens (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Ryan Russell (Jul 19)
- <Possible follow-ups>
- RE: 'Code Red' does not seem to be scanning for IIS Kelly Martin (Jul 19)
- Re(2): 'Code Red' does not seem to be scanning for IIS Ken Eichman (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Duncan Hill (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Stephen Cimarelli (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Tony Langdon (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS George William Herbert (Jul 20)
- RE: 'Code Red' does not seem to be scanning for IIS Marc Maiffret (Jul 19)