Security Incidents mailing list archives

Re: Code Red(s) being confused with sadmind/IIS worm?

From: <ghandi () ghandi org>
Date: Thu, 9 Aug 2001 20:28:14 -0400 (EDT)


I have found the same thing. We realized yesterday afternoon that a rogue
laptop on our network was running a out of the box 2k install. It had been
infected with code red II. It didn't take us long however to discover that
it also had been hit with the sadmind/IIS worm much earlier and had gone
unnoticed.

Out of curiosity we scanned several other 2k machines on our network and
found the same thing, sadmind/IIS. So yes, sadmind/IIS is much more
prevalent than we realize. Those who have code red probably should check
for sadmind/IIS as well.

Best,
Patrick Stokes

On Thu, 9 Aug 2001, Stephen W. Thompson wrote:

Follow my line of thinking here.

In many cases, we're getting reports of Code Red for machines that are
not running Win2k -- Win9x or a unix variant.  We jump to the
conclusion that the reports were in error.

However, lots of the reports are not coming from signature-checking
sources (e.g., IDS), but rather are simply seen to be hitting port
80/tcp on a machine that isn't a (perhaps public) webserver.

So are a lot of the reports simply a distraction?  I don't think so.
I've noticed we have a good amount of the sadmind/IIS worm presence on
our network.  (See http://www.cert.org/advisories/CA-2001-11.html for
one writeup.)  Recall that this is the worm that hits Solaris boxes
with a sadmind buffer overflow, and then those machines go after IIS
with a Unicode directory traversal vulnerability.

If I'm correct, that implies a) sadmind/IIS is more prevalent than
we'd realized and, possibly b) that there might be a variant of
sadmind/IIS that succeeds on non-Solaris machines unlike the original
variant.  Any corroboration on (b) from anyone?

En paz,
Steve, (tired) security analyst
--
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompson () isc upenn edu    URL=http://pobox.upenn.edu/~thompson/index.html
  For security matters, use security () isc upenn edu, read by InfoSec staff
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Code Red(s) being confused with sadmind/IIS worm? Stephen W. Thompson (Aug 09)
- Re: [unisog] Code Red(s) being confused with sadmind/IIS worm? Anderson Johnston (Aug 10)
- Re: Code Red(s) being confused with sadmind/IIS worm? ghandi (Aug 10)
- Re: [unisog] Code Red(s) being confused with sadmind/IIS worm? Paul L Schmehl (Aug 10)
- Re: Code Red(s) being confused with sadmind/IIS worm? H C (Aug 10)