Security Incidents mailing list archives

RE: original code red resurgence...

From: "Fulton L. Preston Jr." <fulton () prestons org>
Date: Tue, 16 Oct 2001 13:51:54 -0400

Been seeing the samething here too along with the lack of an entry in
either my Apache or IIS servers.  Sometimes Snort is reporting it as a
whisker splicing attack.  Further investigation does find that the
remote host is infected.

-----Original Message-----
From: Russell Fulton [mailto:r.fulton () auckland ac nz] 
Sent: Monday, October 15, 2001 7:39 PM
To: incidents () securityfocus com
Subject: original code red resurgence...

Greetings All,
              I have been watching the probe rate on port 80 and .ida 
attacks with interest since the shutdown of Code Red II at the 
beginning of the month.

Initially we saw a sharp drop in the number of addresses doing random 
probes to port 80 and an almost complete absence of .ida probes logged 
by snort. Then a very slow increase in .ida probes (the ones padded 
with "NNN").  Over the last few days the .ida probe rate is has risen 
from one or two per day to approximately 1 per hour across our network 
and the overall probe rate has risen from around 1500 different source 
IPs per hour to 1800. 

The original code red is definitely still alive and spreading, abiet 
slowly.

There is one thing that puzzles me: snort (1.8.1) sometimes logs an 
alert for '.ida attempt' but does not log any packet and in some cases 
I have not been able to find the log entries in the web server logs.  
This suggests that something odd is breaking in snort.  I have posted a 
query on the snort_users mailing list but have not had any response.

Any ideas?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

original code red resurgence... Russell Fulton (Oct 16)
- <Possible follow-ups>
- RE: original code red resurgence... Fulton L. Preston Jr. (Oct 16)