Re: Code Red II hit in July???

[Ryan Russell <ryan () securityfocus com>]

On Mon, 13 Aug 2001, Booke, Raymond wrote:

> announced.  After patching the box on the 27th of July, we figured that all
> was well because we had heard nothing of the Code Red II yet.  The remnants
> left behind by the worm are a bit different than the current Code Red II
> though, the root.exe was on the box in the location the worm puts it, but
> there was no trojan explorer.exe, and none of the other backdoors were
> present.

Then it was probably the sadmind worm, or a manual equivalent, not Code
Red II.

> I have put the log entry below showing the exploit.  Has anyone
> seen anything like this?
>
> 2001-07-25 18:30:35 192.172.226.20 - removed for privacy 80 GET /NULL.ida
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=X 200 -

That is someone checking to see if you are vulnerable.  It is not long
enough to exploit anything, and doesn't match the Code Red signatures
(which both use default.ida, not NULL.ida).

I think what you have is a box that was compromised prior to July 25th.
What are the MAC times on root.exe?

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com