Security Incidents mailing list archives
Re: Someone looking for CodeRed infected boxes ?
From: "Maxime Ducharme" <maxime () pandore-design com>
Date: Fri, 28 Jun 2002 14:14:41 -0400
Thanks for feedback people. You're right Host: header is usually "www", but since NetCap can add X-Forwarded-For: and Via: headers, maybe it can correct the Host: if it is incorrect. I didnt see any other access like that yet. Ciao --------------------------------------------------------------- Maxime Ducharme Administrateur reseau, Programmeur E-Mail : maxime () pandore-design com Clé publique PGP : http://pandore-design.com/pgp/maxime.asc Pandore-Design [http://www.pandore-design.com] Tel : (866) 961-9321 Fax : (866) 961-9943 ----- Original Message ----- From: "Joao Gouveia" <jgouveia () accao net> To: <incidents () securityfocus com> Sent: Friday, June 28, 2002 11:52 AM Subject: Re: Someone looking for CodeRed infected boxes ?
Hi, It would, very obviously, be a transparent proxy. But, the weird thing here, is that the request has a valid host header, unlike nimda/code red. JG ----- Original Message ----- From: "Cliff Albert" <cliff () oisec net> To: "Maxime Ducharme" <maxime () pandore-design com> Cc: <incidents () securityfocus com> Sent: Thursday, June 27, 2002 7:20 AM Subject: Re: Someone looking for CodeRed infected boxes ?On Wed, Jun 26, 2002 at 10:18:36AM -0400, Maxime Ducharme wrote:2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 2526 206 0 HTTP/1.1 65.94.25.135 - - - 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 209 0HTTP/1.165.94.25.135 - - - Sent packet show : GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ HTTP/1.1 Host: 65.94.25.135 Connection: keep-alive Accept: */* X-Forwarded-For: 212.179.220.111 Via: 1.1 proxy2 (NetCache NetApp/5.2.1R1D3) The proxy is relaying itself ? not much sense The worm generated header on-the-fly ?The NetCache proxyserver is a Hardware-base proxyserver from NetApp which usually runs in transparent mode. Thus also proxying nimda/codered runs. -- Cliff Albert | RIPE: CA3348-RIPE | http://oisec.net/ cliff () oisec net | 6BONE: CA2-6BONE |-------------------------------------------------------------------------- --This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Someone looking for CodeRed infected boxes ? Maxime Ducharme (Jun 26)
- Re: Someone looking for CodeRed infected boxes ? Cliff Albert (Jun 27)
- Re: Someone looking for CodeRed infected boxes ? Joao Gouveia (Jun 28)
- Re: Someone looking for CodeRed infected boxes ? Maxime Ducharme (Jun 28)
- Re: Someone looking for CodeRed infected boxes ? Joao Gouveia (Jun 28)
- Re: Someone looking for CodeRed infected boxes ? Cliff Albert (Jun 27)