Re: New version of Code Red?

["Jim Forster" <jforster () rapidnet com>]

Confirmed, this one came across every server in one class C yesterday from
the same address.
(the hospital here in town, as a matter of fact..  Odd.)

000 : 47 45 54 20 2F 78 2E 69 64 61 3F 41 41 41 41 41   GET /x.ida?AAAAA
010 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
020 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
030 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
040 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
050 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
060 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
070 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
080 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
090 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
0a0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
0b0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
0c0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
0d0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
0e0 : 41 41 41 41 41 41 41 3D 58 20 48 54 54 50 2F 31   AAAAAAA=X HTTP/1
0f0 : 2E 31 0A 48 6F 73 74 3A 20 77 77 77 2E 77 6F 72   .1.Host: www.wor
100 : 6D 2E 63 6F 6D 0D 0A 0D 0A                        m.com....

----- Original Message -----
From: "Dean Cunningham" <Dean.Cunningham () ew govt nz>
To: <incidents () securityfocus com>
Sent: Tuesday, July 24, 2001 4:02 PM
Subject: New version of Code Red?


> A FYI, I have yet to see anything in my logs.
>
> cheers
> Dean
>
>
> -----Original Message-----
> From: MVick () mail uttyl edu [mailto:MVick () mail uttyl edu]
> Sent: Wednesday, 25 July 2001 8:44 AM
> To: NT System Admin Issues
> Subject: New version of Code Red?
>
>
> Computer at 172.158.225.228 does the 80 GET /x.ida, followed by AAA...
> instead of NNN...
> Then comes back 25 minutes later with 80 GET /iisstart.asp and 80 GET
> /pagerror.gif
>
>
> 2001-07-23 11:05:32 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /x.ida
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X
>
> 200 -
>
> 2001-07-23 11:30:06 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /iisstart.asp
> - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
>
> 2001-07-23 11:30:08 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /pagerror.gif
> - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
>
>
> And nslookup reports....
>
>
> C:\>nslookup 172.158.255.228
> Server:  xxxx.xxxxx.xxx
> Address:  xxx.xxx.xxx.xxx
>
> Name:    AC9EFFE4.ipt.aol.com
> Address:  172.158.255.228
>
>
>
> Michael Vick
>
> ***************************************************
> This e-mail is  not an  official  statement of  the
> Waikato  Regional  Council unless otherwise stated.
> Visit our website http://www.ew.govt.nz
> ***************************************************
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com