Security Incidents mailing list archives
Re: Code Red(s) being confused with sadmind/IIS worm?
From: H C <keydet89 () yahoo com>
Date: Thu, 9 Aug 2001 16:31:03 -0700 (PDT)
Steve,
In many cases, we're getting reports of Code Red for machines that are not running Win2k -- Win9x or a unix variant. We jump to the conclusion that the reports were in error.
Yes, I've been seeing this in other lists, and on Usenet. Not only have cases been misreported by admins who may or may not be knowledgeable enough to report such things, but folks reporting just about any unusual activity on port 80 in the past 2 wks, regardless of web server (or the absence thereof) have been told by others that it's Code Red.
However, lots of the reports are not coming from signature-checking sources (e.g., IDS), but rather are simply seen to be hitting port 80/tcp on a machine that isn't a (perhaps public) webserver.
As the Code Red worm scans rather indiscriminantly for hosts to infect, a lot of us are seeing SYN packets to port 80. With no other activity to observe, many may be making the assumption that it's the result of Code Red, and instead of report 200 SYN packets to port 80, they are reporting 200 attempts at Code Red. Many of the SYN packets may not be from infected systems at all, but rather may be folks using the eEye tool (or any of the variants) to look for unpatched system, or systems with root.exe in the /scripts or /msadc directory. But again...many folks (particularly home users with BlackIce or ZA) are seeing the scans and reporting the SYN packets as Code Red.
Any corroboration on (b) from anyone?
That would be interesting to see. After all, the IIS exploit used by sadmin/IIS was patched about 7 or so months before the worm came out. There is no reason to assume that there aren't still unpatched servers out there... __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red(s) being confused with sadmind/IIS worm? Stephen W. Thompson (Aug 09)
- Re: [unisog] Code Red(s) being confused with sadmind/IIS worm? Anderson Johnston (Aug 10)
- Re: Code Red(s) being confused with sadmind/IIS worm? ghandi (Aug 10)
- Re: [unisog] Code Red(s) being confused with sadmind/IIS worm? Paul L Schmehl (Aug 10)
- Re: Code Red(s) being confused with sadmind/IIS worm? H C (Aug 10)