[Dshield] Code Red Host Scans (and more)
aredman at san.rr.com
Sun Aug 5 02:50:21 GMT 2001
I recently sniffed a packet from the second variety of worm mentioned below,
and included in the packet was the text: "CodeRedII", which, although I
don't have a sniffed packet of the first version, seems to say that it is
the second version. Also, starting this morning (~10AM PST) the scans
started flooding in. Before today I've had a total of less than 60 scans to
my IP. Today, though, i've had over 60 every three hours, with about 75% of
them coming from IP's that share the first 2 octets with mine. It looks to
me like its getting worse, as I have caught 4 more scans while writing this
Aredman at san.rr.com
On: Saturday, August 04, 2001 8:31 AM John Groseclose wrote:
> At 6:41 PM -0400 8/2/01, Tim Dwayne Southard wrote:
> My IDS (Cisco Secure) is not detecting the host scans from infected
> machines. I can see the default.ida?NNN stuff but I think that is
> the second stage (infection). I need to see the port 80 scans
> regardless of whether they are scanning MS boxes. Any assistance
> will be repaid with good Karma.
> The "scan" *is* the "exploit." Code Red doesn't check first to see if
> you're running IIS before attempting to infect. There are no primary
> or secondary stages to the Code Red worm - it either infects your
> machine, or it doesn't.
> The weirder part is this... A "normal" Code Red attempt looks like this:
> cx215003-b.wwck1.ri.home.com - - [01/Aug/2001:04:31:50 -0700] "GET
> %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 324 "-" "-"
> Since 12:44:09 GMT, I've been receiving *these* in my logs:
> h-64-105-129-178.lsancaba.covad.net - - [04/Aug/2001:05:44:09 -0700]
> "GET /defau
> 0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 277 "-"
> www.sacramentochats.com - - [04/Aug/2001:06:08:15 -0700] "GET
> 3%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 277 "-" "-"
> It *looks* like the second worm is trying to reboot the machine via
> an exploit for cmd.exe, but since I don't have any Windows machines
> around to work with, I can't really do any experimentation with it.
> Perhaps someone wrote a "counter-worm."
> John Groseclose
> iain at caradoc.org
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list