Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CRv2 multiple scans from same source IP

From: Lee Smith <lee () booksys com>
Date: Mon, 6 Aug 2001 14:15:10 -0500


NOW: CodeRedII (this name is easily mistaken with CRv2, so i would suppose 
another name: i stared calling it ida_root since my first analysis on 5th 
aug, 7:34 GMT)
this worm alway only infects one host _once_. it checks for double infection.
it could generate the same ip address again in it's PRNG but the chance 
this happening is near 0.



you would think it should be near 0, but unless im mistaken this should be CR II correct?

x.x.x.x - - [06/Aug/2001:09:18:20 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 278
x.x.x.x - - [06/Aug/2001:09:18:23 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:13 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:53 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:57 -0500] <snip>

all from the same ip address out of my apache logs.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: