Security Incidents mailing list archives

RE: New version of Code Red?

From: "Nick Lehman" <nickl () hostworks com au>
Date: Wed, 25 Jul 2001 12:13:08 +0930


Looks very much like the URL eEye's 'Code Red Scanner' uses to test for
vulnerable machines.

http://www.eeye.com/html/Research/Tools/codered.html

Nick

-----Original Message-----
From: Dean Cunningham [mailto:Dean.Cunningham () ew govt nz] 
Sent: Wednesday, 25 July 2001 7:32 AM
To: 'incidents () securityfocus com'
Subject: New version of Code Red?


A FYI, I have yet to see anything in my logs.

cheers
Dean


-----Original Message-----
From: MVick () mail uttyl edu [mailto:MVick () mail uttyl edu] 
Sent: Wednesday, 25 July 2001 8:44 AM
To: NT System Admin Issues
Subject: New version of Code Red?


Computer at 172.158.225.228 does the 80 GET /x.ida, followed by AAA...
instead of NNN...
Then comes back 25 minutes later with 80 GET /iisstart.asp and 80 GET
/pagerror.gif


2001-07-23 11:05:32 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /x.ida
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X

200 -

2001-07-23 11:30:06 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET
/iisstart.asp
- 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)

2001-07-23 11:30:08 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET
/pagerror.gif
- 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)


And nslookup reports....


C:\>nslookup 172.158.255.228
Server:  xxxx.xxxxx.xxx
Address:  xxx.xxx.xxx.xxx

Name:    AC9EFFE4.ipt.aol.com
Address:  172.158.255.228



Michael Vick

***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New version of Code Red? Dean Cunningham (Jul 24)
- Re: New version of Code Red? Jim Forster (Jul 24)
- RE: New version of Code Red? Nick Lehman (Jul 24)
  - Re: New version of Code Red? sleonard (Jul 25)