Security Incidents mailing list archives
Re: Appeal for Help. NOT Code Red But Is It?
From: Bryan Andersen <bryan () visi com>
Date: Tue, 14 Aug 2001 00:57:47 -0500
Some people have written scripts that do the actions you describe and have installed them on various boxes. I have a copy of one of the perl based versions. The version I have sends out a command to shutdown the probing windows box. Slashdot has an atricle that links to one of the tools. http://slashdot.org/article.pl?sid=01/08/11/1420207 Warning if you follow the below link and you are accessing it from a CodeRed II infected, but not cleaned up IIS web server it will shut the box down. http://www.dasbistro.com/default.ida If you get through to the link you can get at the tarball of the code. "Lindley, Patrick@HHSDC" wrote:
Anybody know of a similar problem? Is this Code Red or something else? Does anybody know WHY this would happen? For the past 13 days we have been experiencing an unusual occurrence. Every time a particular patched NT 4.0 server of ours running IIS 4 is probed by a Code Red infected system, our server immediately responds back to the prober by attempting to exploit the vulnerability on that system. Example: 158.42.25.98 sends the "/default.ida?" string followed by the "X" or "N" string (depending on the Code Red version) and our system immediately sends back the corresponding hack such as the HTML used in Code Red (Hacked By Chinese!) or attempts to execute or drop D:EXPLORER.EXE on the attacking system. Our IDS logs and HTTP logs confirm these events. Our system in question does not react as if it is infected with Code Red (i.e. continuously probing other IP addresses) and as a matter of fact we have confirmed the MS patch installation, run Trend Micro Systems anti-virus software on it, rebooted it, and manually scanned for the tell-tale signs of Code Red infection. It only sends out this Code Red-like activity when it is probed. I've included a copy of one entry from our IDS below. Inbound port was 80 and outbound port was 2913. Context incoming is the data that was sent to us (for instance from 158.42.25.98) and context outgoing is what our server sent back. Ports: 80 -> 2913 Context Match: [/]default[.]ida[?][a-zA-Z0-9]+%u Context Incoming: ://***.***.***.***/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX%u Context Outgoing: \FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\ FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\F C\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC \FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\00\00\00\ 00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00^\BF\B9\05\00\00j\07\E8 \10\00\00\00d: explorer.exe\00\8B\04 $\88\18\FFU\CC\83\F8\FFtM\89\85L\FE\FF\FF\AC\8A\F88>u'j \E8#\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 \00\00\00\00\00\00\00\00\00\00\00j\01V\FF\B5L\FE\FF\FF\FFU\C8FOu\C5\FF\B5L\F E\FF\FF\FFU\C4\FE\C3\80\FBd\0F\86L\F9\FF\FF\C3a\C9\C2\04\00\0 =========================== J. Patrick Lindley Assistant IT Security Manager Planning & Consulting Division 1651 Alhambra Blvd. Sacramento, CA 95816 916-739-7976 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- | Bryan Andersen | bryan () visi com | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Appeal for Help. NOT Code Red But Is It? Lindley, Patrick@HHSDC (Aug 13)
- Re: Appeal for Help. NOT Code Red But Is It? Bryan Andersen (Aug 14)
- <Possible follow-ups>
- Re: Appeal for Help. NOT Code Red But Is It? Ryan Russell (Aug 16)