FW: CodeRed Observations.

["larosa, vjay" <larosa_vjay () emc com>]

> Hello,
>
> I have been watching this recent spike in CodeRed activity and one thing I
> am noticing
> is the lack of TCP session establishment. I am seeing common get strings
> like this showing
> up at my firewalls without ever establishing a TCP three way handshake. I
> have seen several
> hundred packets with in the last two days similar to this at my firewalls.
>
> 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET /default.ida
> 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  ?XXXXXXXXXXXXXXX
> 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
> 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
> 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
> Snip----------------------------------------------------------------------
> ------------------------------------------------------
>
> I find it awfully strange that there is no handshake (not even a single
> SYN to try and establish
> a session) but these packets show up anyway. I also am not seeing an
> increase of port 80
> scans in my firewall logs or with any of my IDS sensors. Is anybody else
> out there seeing the 
> same things we are?
>
> Thanks!
>
> vjl
>
> V.Jay LaRosa                           EMC Corporation
> Information Security                  4400 Computer Dr.
> (508)898-7433 office                  Westboro, MA 01580
> (508)353-1348 cell                     www.emc.com
> 888-799-9750 pager                   larosa_vjay () emc com

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>