Security Incidents mailing list archives

Re: Appeal for Help. NOT Code Red But Is It?

From: Bryan Andersen <bryan () visi com>
Date: Tue, 14 Aug 2001 00:57:47 -0500

Some people have written scripts that do the actions you 
describe and have installed them on various boxes.  I have 
a copy of one of the perl based versions.  The version I 
have sends out a command to shutdown the probing windows 
box.

Slashdot has an atricle that links to one of the tools.
    http://slashdot.org/article.pl?sid=01/08/11/1420207

Warning if you follow the below link and you are accessing it 
from a CodeRed II infected, but not cleaned up IIS web server 
it will shut the box down.
    http://www.dasbistro.com/default.ida
If you get through to the link you can get at the tarball of
the code.


"Lindley, Patrick@HHSDC" wrote:


Anybody know of a similar problem? Is this Code Red or something else? Does
anybody know WHY this would happen?

For the past 13 days we have been experiencing an unusual occurrence.  Every
time a particular patched NT 4.0 server of ours running IIS 4 is probed by a
Code Red infected system, our server immediately responds back to the prober
by attempting to exploit the vulnerability on that system.

Example:  158.42.25.98 sends the "/default.ida?" string followed by the "X"
or "N" string (depending on the Code Red version) and our system immediately
sends back the corresponding hack such as the HTML used in Code Red (Hacked
By Chinese!) or attempts to execute or drop D:EXPLORER.EXE on the attacking
system.

Our IDS logs and HTTP logs confirm these events. Our system in question does
not react as if it is infected with Code Red (i.e. continuously probing
other IP addresses) and as a matter of fact we have confirmed the MS patch
installation, run Trend Micro Systems anti-virus software on it, rebooted
it, and manually scanned for the tell-tale signs of Code Red infection.  It
only sends out this Code Red-like activity when it is probed.

I've included a copy of one entry from our IDS below.  Inbound port was 80
and outbound port was 2913. Context incoming is the data that was sent to us
(for instance from 158.42.25.98) and context outgoing is what our server
sent back.

           Ports: 80 -> 2913
   Context Match: [/]default[.]ida[?][a-zA-Z0-9]+%u
Context Incoming:
://***.***.***.***/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX%u

Context Outgoing:
\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\
FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\F
C\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC
\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\00\00\00\
00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00^\BF\B9\05\00\00j\07\E8
\10\00\00\00d:

explorer.exe\00\8B\04
$\88\18\FFU\CC\83\F8\FFtM\89\85L\FE\FF\FF\AC\8A\F88>u'j
\E8#\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
\00\00\00\00\00\00\00\00\00\00\00j\01V\FF\B5L\FE\FF\FF\FFU\C8FOu\C5\FF\B5L\F
E\FF\FF\FFU\C4\FE\C3\80\FBd\0F\86L\F9\FF\FF\C3a\C9\C2\04\00\0

===========================
J. Patrick Lindley
Assistant IT Security Manager
Planning & Consulting Division
1651 Alhambra Blvd.
Sacramento, CA 95816
916-739-7976

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


-- 
|  Bryan Andersen   |   bryan () visi com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Appeal for Help. NOT Code Red But Is It? Lindley, Patrick@HHSDC (Aug 13)
- Re: Appeal for Help. NOT Code Red But Is It? Bryan Andersen (Aug 14)
- <Possible follow-ups>
- Re: Appeal for Help. NOT Code Red But Is It? Ryan Russell (Aug 16)