Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CRv2 multiple scans from same source IP

From: corecode <corecode () corecode ath cx>
Date: Mon, 06 Aug 2001 10:09:12 +0000
At 12:39 AM 8/6/2001, John Davidson wrote:

My W2k IIS logs show 3 CRv2 scans from the same source IP within the same
minute.


which worm is attacking? please don't mistake the names!
there is:
code red original, discovered around the 13th of July (CRv1): has a damaged PRNG 
code red with patched PRNG, discovered aroung the 16th of July (CRv2)
both can infect one system multiple times, but possibility to get double attacks is much more probable from CRv1 than CRv2
NOW: CodeRedII (this name is easily mistaken with CRv2, so i would suppose another name: i stared calling it ida_root since my first analysis on 5th aug, 7:34 GMT) 
this worm alway only infects one host _once_. it checks for double infection.
it could generate the same ip address again in it's PRNG but the chance this happening is near 0.
furthermore ida_root (or whatever you call it) concentrates on class A and class B networks 7/8 of the time... 

cheerz
  corecode


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: