Re: 'Code Red' does not seem to be scanning for IIS

[daniel uriah clemens <dclemens () mail inline com>]

> In short, it looks like there's two sets of worms out there. One is
> scanning large contiguous netblocks in an obvious fashion, the other is
> hunting and pecking about random IP addresses.

Wrong!
What is happening is the worm always hits port 80 if it hits port 80 (
regardless if its apache or iis... its port 80 ) it then drops the buffer
overflow code on it.
I have seen 4800 attacks on 3 class c's so far  I am about to hook in a
few more sensors all night.


The worm attacks a random ip on port 80 if the port is closed you see
this:

Jul 19 19:04:49 ephesians snort: IDS3/scan_Traceroute
TCP: 199.103.224.4:3183 ->
 216.84.196.110:80
Jul 19 19:04:49 ephesians snort: IDS3/scan_Traceroute
TCP: 199.103.224.4:3183 ->
 216.84.196.110:80

If port 80 is open you will then see this:

Jul 19 17:59:52 ephesians/216.84.194.200 snort: IDS552/web-iis_IIS ISAPI
Overflo
w ida: 203.69.169.4:2218 -> 216.84.194.3:80
Jul 19 17:59:52 ephesians/216.84.194.200 snort: IDS552/web-iis_IIS ISAPI
Overflow ida: 203.69.169.4:2218 -> 216.84.194.3:80

Also to add this is crashing novell bordermanager servers, cisco ios (
with web administration enabled etc etc... )

Hope this helps someone.

-Daniel Uriah Clemens
  

> - -- 
>
>  "A true friend stabs you in the front."
>      - Oscar Wilde
>
> -----BEGIN PGP SIGNATURE-----
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7V15N36NTGsm+2Z4RAlnTAJ9VCsZ7riUp3WknpU9q9ny6ynSAtACgzTYc
> cB7VrZUUKd6HIDmEXu8D6MU=
> =1leB
> -----END PGP SIGNATURE-----