Security Incidents mailing list archives

RE: CRv2 multiple scans from same source IP

From: "Andrew Cruse" <acruse () design-synergy com>
Date: Mon, 6 Aug 2001 16:46:52 -0400

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One possibility we seem to be overlooking here is that it's
conceivable that we have several servers with RFC 1918 addresses
sitting behind a firewall/proxy in some kind of NAT/portforwarding
setup, and the IP in the logs is actually the IP address of the
firewall.  

Andrew

- -----Original Message-----
From: Lee Smith [mailto:lee () booksys com]
Sent: Monday, August 06, 2001 3:15 PM
To: corecode
Cc: jwd_ods () hotmail com; incidents () securityfocus com
Subject: Re: CRv2 multiple scans from same source IP

NOW: CodeRedII (this name is easily mistaken with CRv2, so i would
suppose  another name: i stared calling it ida_root since my first
analysis on 5th  aug, 7:34 GMT)
this worm alway only infects one host _once_. it checks for double
infection. it could generate the same ip address again in it's PRNG
but the chance  this happening is near 0.



you would think it should be near 0, but unless im mistaken this
should be CR II correct?

x.x.x.x - - [06/Aug/2001:09:18:20 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 278
x.x.x.x - - [06/Aug/2001:09:18:23 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:13 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:53 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:57 -0500] <snip>

all from the same ip address out of my apache logs.

- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO28CPNU0NpnwXzrpEQIHtACg+frXpSxFREhPxHBNZnF//V0J2T0AmQFS
XKpEQVXeUUkzmKGcTZ66sL9s
=XGwf
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

CRv2 multiple scans from same source IP John Davidson (Aug 05)
- Re: CRv2 multiple scans from same source IP Luc Pardon (Aug 05)
  - Re: CRv2 multiple scans from same source IP Chris Freeze (Aug 05)
- Re: CRv2 multiple scans from same source IP Chris Freeze (Aug 05)
  - RE: CRv2 multiple scans from same source IP Gareth Hastings (Aug 06)
  - Re: CRv2 multiple scans from same source IP Paul Gear (Aug 06)
- Re: CRv2 multiple scans from same source IP Valdis . Kletnieks (Aug 05)
- RE: CRv2 multiple scans from same source IP robh (Aug 05)
- Re: CRv2 multiple scans from same source IP corecode (Aug 06)
  - Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
    - RE: CRv2 multiple scans from same source IP Andrew Cruse (Aug 06)
  - Re: CRv2 multiple scans from same source IP Ryan Russell (Aug 06)
    - Re: CRv2 multiple scans from same source IP Andy Berkheimer (Aug 06)
    - Re: CRv2 multiple scans from same source IP corecode (Aug 07)
  - Re: CRv2 multiple scans from same source IP Bryan Andersen (Aug 06)
- <Possible follow-ups>
- RE: CRv2 multiple scans from same source IP Tim Hollebeek (Aug 06)
- RE: CRv2 multiple scans from same source IP corecode (Aug 06)