[Dshield] Code Red Host Scans (and more)

Josh Ballard jballard at cloud.cc.ks.us
Sat Aug 4 17:32:53 GMT 2001

>The "scan" *is* the "exploit." Code Red doesn't check first to see if
>you're running IIS before attempting to infect. There are no primary
>or secondary stages to the Code Red worm - it either infects your
>machine, or it doesn't.

Actually I believe you are a bit incorrect on this.  Yes, it does not check
to see if your running IIS, but it does check for a webserver before
attempting the .ida overflow.  I have been watching these things on my
packet sniffer on my network, and for the longest time, I was only noticing
a few packets here and there running the .ida... and the weird part was, I
wasn't seeing them on any box except those that were actually running
webservers.  So, I did some checking, loosened the filters on my packet
sniffer to see all traffic, and I was noticing port 80 hits on all my
machines from various places, and then I noticed every time there was a .ida
attempt that there were 4-6 packets inbound BEFORE the .ida, and I compared
those to the packets that were hitting my other hosts, 1-3 packets for those
not responding to a port 80 connect attempt, and they were similar.  So, as
far as I can tell, code red doesn't just immediately run the .ida attempt.
It tries to connect, request a document (one that doesn't exist), and then
if it gets a response, it runs the .ida attempt.  If anyone else has a view
on this, I would love to see it.  I don't have the logs with me as I'm at
home, but if anyone wants some proof of this, I'd be glad to run through my
logs and get some.

Josh Ballard
oofle.com Linux Firewall Center
jballard at cloud.cc.ks.us

More information about the list mailing list