Security Incidents mailing list archives
Re: Code red variants?
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Fri, 7 Sep 2001 09:28:06 +1200 (NZST)
I now have an explaination for this, see appended message from NEXTRA who own the addresses where these packets come from. This still begs the question of the exact mechanism but I think we are on the right track. Nextra are blocking code red connections at their transparent proxy but something is coming unstuck. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
From: Russell Fulton <r.fulton () auckland ac nz> Sender: r.fulton () auckland ac nz To: abuse () online no Subject: strange code red segments from 130.67/16 Date: Thu, 6 Sep 2001 16:40:50 +1200 (NZST) Priority: NORMAL X-Mailer: Simeon for Solaris Motif Version 4.1.5 Build (43) X-Authentication: IMSP Greetings, I have observed a stream of ACK packets (with no SYN)
coming
from various addresses in 130.67. All of these packets appear to contain nearly identical payload being part of (2nd packet ?) of the code red stream. I am wondering if you have something (a proxy ?) that is blocking the SYN and first packet (that contains the url) but is allowing the
latter
packets out?
Yes, we do block outgoing code red attacks using transparent proxies. But I cannot explain why only the first packet is blocked. The proxies should of course operate on a session level and not on a packet level. At the momemt the only explanation I can think of is a failure of our redirecting equipment. I will have to look further into that. It does not sound good.. Thanks for your report. Bjørn Mork Nextra ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code red variants? Russell Fulton (Sep 05)
- <Possible follow-ups>
- Re: Code red variants? Matthew Collins (Sep 06)
- Re: Code red variants? Russell Fulton (Sep 06)
- RE: Code red variants? Korkmaz, Murat (Sep 06)