Security Incidents mailing list archives
Re: Code Red(s) being confused with sadmind/IIS worm?
From: <ghandi () ghandi org>
Date: Thu, 9 Aug 2001 20:28:14 -0400 (EDT)
I have found the same thing. We realized yesterday afternoon that a rogue laptop on our network was running a out of the box 2k install. It had been infected with code red II. It didn't take us long however to discover that it also had been hit with the sadmind/IIS worm much earlier and had gone unnoticed. Out of curiosity we scanned several other 2k machines on our network and found the same thing, sadmind/IIS. So yes, sadmind/IIS is much more prevalent than we realize. Those who have code red probably should check for sadmind/IIS as well. Best, Patrick Stokes On Thu, 9 Aug 2001, Stephen W. Thompson wrote:
Follow my line of thinking here. In many cases, we're getting reports of Code Red for machines that are not running Win2k -- Win9x or a unix variant. We jump to the conclusion that the reports were in error. However, lots of the reports are not coming from signature-checking sources (e.g., IDS), but rather are simply seen to be hitting port 80/tcp on a machine that isn't a (perhaps public) webserver. So are a lot of the reports simply a distraction? I don't think so. I've noticed we have a good amount of the sadmind/IIS worm presence on our network. (See http://www.cert.org/advisories/CA-2001-11.html for one writeup.) Recall that this is the worm that hits Solaris boxes with a sadmind buffer overflow, and then those machines go after IIS with a Unicode directory traversal vulnerability. If I'm correct, that implies a) sadmind/IIS is more prevalent than we'd realized and, possibly b) that there might be a variant of sadmind/IIS that succeeds on non-Solaris machines unlike the original variant. Any corroboration on (b) from anyone? En paz, Steve, (tired) security analyst -- Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP thompson () isc upenn edu URL=http://pobox.upenn.edu/~thompson/index.html For security matters, use security () isc upenn edu, read by InfoSec staff The only safe choice: Write e-mail as if it's public. Cuz it could be. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red(s) being confused with sadmind/IIS worm? Stephen W. Thompson (Aug 09)
- Re: [unisog] Code Red(s) being confused with sadmind/IIS worm? Anderson Johnston (Aug 10)
- Re: Code Red(s) being confused with sadmind/IIS worm? ghandi (Aug 10)
- Re: [unisog] Code Red(s) being confused with sadmind/IIS worm? Paul L Schmehl (Aug 10)
- Re: Code Red(s) being confused with sadmind/IIS worm? H C (Aug 10)