Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

CRV3

From: Wayne Conrad <wconrad () yagni com>
Date: 4 Aug 2001 14:16:44 -0700
I'm cc-ing this to Speakeasy only "FYI".  No finger pointing intended.

The CodeRed flavored thingy that started touching my server this morning, originating mostly from Speakeasy DSL 
customers, has been very busy.  In just 8 hours my little single-IP site has seen it 63 times from 32 unique IP's.  
That's many times the activity my server has seen from CRv1 and CRv2 (my grand total *ever* of the "NNNN" style probes 
is 128).

Again, it looks like this:

64.81.32.130 - - [04/Aug/2001:13:49:57 -0700] "GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
  HTTP/1.0" 404 275 "-" "-"

Note the XXX's instead of NNN's.  CRv1 and CRv2 sent N's.

The other thing that makes this look different from CRv1 and CRv2 is the limited range of IP's it's coming from, and 
that I'm getting multiple hits from the same IP (I've seen no repeated IP's in CRv1 and CRv2 probes):

wconrad@mars:/usr/local/apache/logs$ for h in `grep 'default\.ida?XXX' access_log | awk '{print $1}'`; do echo $h `host 
$h | grep Name | awk '{print $2}'`;  done | sort | uniq -c
      1 64.105.162.178 h-64-105-162-178.lnoclli.covad.net
      1 64.229.106.201 HSE-Toronto-ppp184454.sympatico.ca
      1 64.230.27.139 HSE-Toronto-ppp260438.sympatico.ca
      1 64.231.233.164 HSE-Montreal-ppp131791.qc.sympatico.ca
      3 64.34.162.53 dsl-64-34-162-53.telocity.com
      1 64.81.107.195 dsl081-107-195.den1.dsl.speakeasy.net
      1 64.81.12.194 srv.shai.com
      1 64.81.121.155 dsl081-121-155.dfw1.dsl.speakeasy.net
      1 64.81.136.108 dsl081-136-108.chi1.dsl.speakeasy.net
      4 64.81.156.226 dsl081-156-226.chi1.dsl.speakeasy.net
      1 64.81.168.161 dsl081-168-161.sea1.dsl.speakeasy.net
      1 64.81.17.51 dsl081-017-051.sea1.dsl.speakeasy.net
      6 64.81.173.54 dsl081-173-054.sea1.dsl.speakeasy.net
      1 64.81.183.38 dsl081-183-038-sea1.sea1.dsl.speakeasy.net
      1 64.81.192.165 dsl081-192-165.nyc2.dsl.speakeasy.net
      2 64.81.193.38 dsl081-193-038.nyc2.dsl.speakeasy.net
      8 64.81.203.146 dsl081-203-146.nyc2.dsl.speakeasy.net
      3 64.81.206.116 dsl081-206-116.nyc2.dsl.speakeasy.net
      2 64.81.209.251 dsl081-209-251.nyc2.dsl.speakeasy.net
      1 64.81.212.253 dsl081-212-253.nyc2.dsl.speakeasy.net
      1 64.81.22.252 dsl081-022-252.sea1.dsl.speakeasy.net
      3 64.81.240.129 dsl081-240-129.sfo1.dsl.speakeasy.net
      1 64.81.243.50 dsl081-243-050.sfo1.dsl.speakeasy.net
      1 64.81.32.130 dsl081-032-130.lax1.dsl.speakeasy.net
      3 64.81.32.248 dsl081-032-248.lax1.dsl.speakeasy.net
      1 64.81.47.221 dsl081-047-221.lax1.dsl.speakeasy.net
      1 64.81.48.34 dsl081-048-034.sea1.dsl.speakeasy.net
      1 64.81.58.116 dsl081-058-116.dsl-isp.net
      3 64.81.62.38 www.sacramentochats.com
      2 64.81.67.10 dsl081-067-010.sfo1.dsl.speakeasy.net
      1 64.81.81.47 dsl081-081-047.lax1.dsl.speakeasy.net
      3 64.81.87.33 dsl081-087-033.lax1.dsl.speakeasy.net

Why would someone restrict the worm to a particular range of IP's?  Testing?  Angry at Speakeasy?  Your guess is 
probably better than mine.

      Wayne Conrad

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: