Security Incidents mailing list archives
RE: CodeRed Observations.
From: "Rob Shein" <shoten () starpower net>
Date: Thu, 13 Mar 2003 10:56:37 -0500
Check your filters. You might be looking at traffic through a selection filter that doesn't show the handshake, so that you can concentrate on the content that passes back and forth. That's what I usually find to be the case when someone makes this kind of observation...
-----Original Message----- From: larosa, vjay [mailto:larosa_vjay () emc com] Sent: Wednesday, March 12, 2003 7:48 PM To: 'incidents () securityfocus com' Subject: FW: CodeRed Observations.Hello, I have been watching this recent spike in CodeRed activity and one thing I am noticing is the lack of TCP session establishment. I am seeing common get strings like this showing up at my firewalls without ever establishing a TCP threeway handshake. Ihave seen several hundred packets with in the last two days similar to thisat my firewalls.47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET/default.ida 3F58 58 58 58 58 58 58 58 58 58 58 58 58 58 58?XXXXXXXXXXXXXXX 58 5858 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 5858 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 5858 58 5858 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXXSnip---------------------------------------------------------------------- ------------------------------------------------------ I find it awfully strange that there is no handshake (not even a single SYN to try and establish a session) but thesepackets show upanyway. I also am not seeing an increase of port 80 scans in my firewall logs or with any of my IDS sensors. Isanybody elseout there seeing the same things we are? Thanks! vjl V.Jay LaRosa EMC Corporation Information Security 4400 Computer Dr. (508)898-7433 office Westboro, MA 01580 (508)353-1348 cell www.emc.com 888-799-9750 pager larosa_vjay () emc com-------------------------------------------------------------- -------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Current thread:
- FW: CodeRed Observations. larosa, vjay (Mar 13)
- RE: CodeRed Observations. Rob Shein (Mar 13)
- Re: FW: CodeRed Observations. Russell Fulton (Mar 13)
- <Possible follow-ups>
- RE: CodeRed Observations. larosa, vjay (Mar 13)
- RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. Michał Rogala (Mar 13)
- RE: CodeRed Observations. Rob McCauley (Mar 13)
- RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
- RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
- Re: CodeRed Observations. Þórhallur Hálfdánarson (Mar 14)
- RE: CodeRed Observations. Christine Kronberg (Mar 14)
(Thread continues...)