Re: CRv2 multiple scans from same source IP

[Paul Gear <paulgear () bigfoot com>]

Sent this last night, but it didn't make it through - moderated due to
IP addresses?

Chris Freeze wrote:

> On Sun, 5 Aug 2001, John Davidson wrote:
>
> > My W2k IIS logs show 3 CRv2 scans from the same source IP within the same
> > minute.
>
> Here everytime I get scanned, my Apache logs are showing a double hit.
> Snort is also logging the two back-to-back attempts.
> ...

I wrote a little script to summarize the hits on my system by IP. 
Here's an
extract:

1.a.a.7
        06/Aug/2001 06:54:50
        06/Aug/2001 06:54:50
...
1.b.b.4
        06/Aug/2001 15:00:37
        06/Aug/2001 15:00:37
        06/Aug/2001 15:42:52
        06/Aug/2001 15:42:52
        06/Aug/2001 16:48:33
        06/Aug/2001 16:48:33
...
1.c.c.5
        06/Aug/2001 19:52:31
        06/Aug/2001 19:52:31
...
TOTAL:
        312 scans
        112 unique hosts

Every scan (regardless of whether it's from my class A or not)
consists of two probes.  I am getting multiple scans from each system,
often quite a ways apart.  None of the requests are missing anything -
they are all the right size.

"Ben N. Venzke" wrote:

> ...
> If CodeRedII can only infect Windows 2000 boxes running IIS, why all
> of the CodeRedII infection attempts from what appear to be DSL, cable
> modem and dial-up boxes?
>
> I could see running a small server on a DSL line but are there really
> that many people running IIS on a 56k dial-up.

I thought that myself, but my brief investigations have shown
otherwise.  I am
a dialup modem user on a major Australian ISP.  My system is getting a
lot more
hits than i would have expected considering my bandwidth and nearly
all of them
are from my own ISP (as expected).  However, these machines do indeed
seem to
be running IIS - probably the default install.

Here's what i got when i looked at the web server on one of the
systems that
probed me:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 06 Aug 2001 09:29:07 GMT
Connection: Keep-Alive
Content-Length: 1270
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQGQGQHJC=LJAFGGCDOKEPBGGPBDDPBGLF; path=/
Cache-control: private


<!--
          WARNING!
          Please do not alter this file. It may be replaced if you
upgrade your
web server
     If you want to use it as a template, we recommend renaming it,
and
modifying the new file.
          Thanks.
-->


<HTML>

<HEAD>
<META HTTP-EQUIV="Content-Type" Content="text-html;
charset=Windows-1252">



<title id=titletext>Under Construction</title>
</HEAD>
        <body bgcolor=white>
        <TABLE>
        <TR>
        <td id="tableProps" width=70 valign=top align=center>
        <IMG id="pagerrorImg" SRC="pagerror.gif" width=36 height=48>
        <TD id="tablePropsWidth" width=400>

        <h1 id=errortype style="font:14pt/16pt verdana;
color:#4e4e4e">
        <id id="Comment1"><!--Problem--></id><id id="errorText">Under
Construction</id></h1>
        <id id="Comment2"><!--Probable causes:<--></id><id
id="errordesc"><font
style="font:9pt/12pt verdana; color:black">
        The site you were trying to reach does not currently have a
default
page. It may be in the process of being upgraded.
        </id>
        <br><br>

        <hr size=1 color="blue">

        <br>
        <ID  id=term1>
        Please try this site again later. If you still experience the
problem,
try contacting the Web site administrator.
        </ID>
        <P>

        </ul>
        <BR>
        </TD>
        </TR>
        </TABLE>
        </BODY>


</HTML>

To my untrained eye, this looks like it might be a default root page
that IIS
installs.  It seems that every man and his dog with Win2K on their
home PC are
joining in the fun.

Paul
http://paulgear.webhop.net

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com