Security Incidents mailing list archives
Re: new codered worm?
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Fri, 31 Aug 2001 08:39:35 +1200
"^^ sang sang" <gauri2007 () hotmail com> wrote:
uI got code red worm, which seems like new mutation. I am not sure whether it is new one. So please explain about that if you have any idea.
This is not a "new CodeRed"...
I found logs like below 1. traced for ip address 2. checked root.exe, which used to back door in previous code red worm 3. /x.ida VVVVVVVVVVVVV as new attack pattern 4. This server is one that was contagious in previous code red attack, and it was already shut down. Accordingly, the attack was failed (Normally, IIS may stop when ida buffer overflow is failed) Also, it has log on print buffer overflow and it seems like being included in an automated script This is log 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X GET /scripts/root.exe /c+dir+c:\ 404 - 2001-08-27 01:41:39 210.92.26.120 – X.X.X>.X 80 GET /c/winnt/system32/cmd.exe /c+dir+c:\ 404 - 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET /d/winnt/system32/cmd.exe /c+dir+c:\ 404 - 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET /msadc/root.exe /c+dir+c:\ 404 - 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET /c/inetpub/scripts/root.exe /c+dir+c:\ 404 - 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X80 GET /d/inetpub/scripts/cmd.exe /c+dir+c:\ 404 - 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET /x.ida VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV> 200 -
Someone is probing your box for the .ida/.idq vulnerability and the "leftovers" of an improperly cleaned-up Codered.C or CodeRed.D attack. Cleaning CodeRed by hand, people are likely to miss the root.exe's in msadc and scripts and/or the open /C and /D virtual roots. The first six entries above are probes for those failures. The seventh is harder to diagnose from here, because if it was an overflow attempt, we'd have to see the full request (with the "payload" code that is after the overflow) to know for sure what it is supposed to do. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: new codered worm? Nick FitzGerald (Sep 01)
- <Possible follow-ups>
- Re: new codered worm? Ryan Russell (Sep 01)