Security Incidents mailing list archives

RE: Code Red and other anomalous activity from 1433

From: "Michael Fredericks" <mfredericks () infosol com>
Date: Thu, 11 Jul 2002 14:53:08 -0700

Hi All,
I've been getting slammed with Subseven attempts in the past 24 hours.
Again they are almost all from Asia (APNIC) and most of the ones I've
traced so far have been in Korea. Since it is Subseven, I wouldn't
imagine they'd be spoofed so I think it is safe to say there is
something weird going on in Asia.

Michael Fredericks
Manager - Networks and Telecommunications
InfoSol, Inc.
mfredericks () infosol com
http://www.infosol.com/


-----Original Message-----
From: Graham, Randy (RAW) [mailto:RAW () y12 doe gov] 
Sent: Thursday, July 11, 2002 12:56 PM
To: Curley Mr Eric P; incidents () securityfocus com
Subject: RE: Code Red and other anomalous activity from 1433

Seeing about 24 hours worth of traffic here.  Started a little before
8:00
yesterday morning.  Last we saw of it was around 6:30 today (at least,
the
last my internal snort sensor picked up - not sure if the firewall guys
have
just blocked it or if it has stopped).

Randy Graham
-- 
Recursion (ri-'k&r-zh&n) [noun] - See: Recursion

-----Original Message-----
From: Curley Mr Eric P [mailto:CurleyEP () NOC USMC MIL]
Sent: Thursday, July 11, 2002 10:26 AM
To: incidents () securityfocus com
Subject: Code Red and other anomalous activity from 1433

Has anybody else been getting slammed by Code Red activity 
today?  It seems
to be coming from mostly Asian blocks  but there are some other blocks
thrown in there as well.  Then again it could all be spoofed 
and could be
coming from the 12 year old down the street..Thrown into all 
this traffic
I'm also seeing a lot of Dest ports with 1433; Possibly that 
SQL stuff that
happened last month..anywho, just wanted to know if anybody else was
experiencing this.

Cheers,
Eric

-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: Wednesday, July 10, 2002 1:40 PM
To: Pavel Kankovsky; incidents () securityfocus com
Subject: RE: TCP port 139 probes

Having done a superficial examination
of system directories on those machines (they had a
publicly accesible
share, ergo I was invited, wasn't I? <g>)


Uh...no, you weren't.  Just b/c a share is publicly
accessible, does NOT, in fact, mean that you were
invited.  This is simply the age-old rhetoric used to
justify malicious actions.  While many admins have
said that they would be very happy to be told by an
outsider that they had a vulnerable machine, to date
not a single one has said that they'd be happy to have
that person access the machine via some vulnerability
and take files.

I downloaded 3 of them and they all seem to be
compressed executables


As with your previous posts, this one is incredibly
vague and lacking in any useful information. 
Compresses with what?  PKZip?  UPX?  What version? 
Did you uncompress the files?

having a common prefix,


If you're referring to the first couple of bytes of
the file, "MZ" is the common prefix for executables on
Windows systems.

and there are some fragments
of strings ("rom",
"y smt", ") with", "ESM", "Mime-", "-Typ", "quit"
etc) in that common
prefix suggesting there is some SMTP implementation
there--presumably
some kind of malware able to spread via email.


Did you run strings on the compressed or uncompressed
file?

But I did not find anything similar on other
machines I examined.


Interesting how you've posted to a public list,
basically stating that while you refuse to do any
testing on your end to verify that the activity you're
seeing is a worm (in your own words to me via email,
you're "too lazy"), you're more than willing to access
vulnerable systems and take files...


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Code Red and other anomalous activity from 1433 Curley Mr Eric P (Jul 11)
- Re: Code Red and other anomalous activity from 1433 Thomas Cannon (Jul 11)
- <Possible follow-ups>
- RE: Code Red and other anomalous activity from 1433 Graham, Randy (RAW) (Jul 11)
- RE: Code Red and other anomalous activity from 1433 Michael Fredericks (Jul 11)
  - RE: Code Red and other anomalous activity from 1433 lsi (Jul 12)