[Dshield] CodeRed Difference with 'new' XXX variant

ALEPH0 aleph0 at pacbell.net
Sun Aug 5 03:05:47 GMT 2001


I'm on 63.x.x.x of PACBELL's DSL net and all of them hitting me are within
that class A.  It appears to be a clear characteristic of this modification.
It would be interesting to know if class B and C addresses are seeing the
character where it is randomizing over their standard 16 and 8 bit masks.  I
suppose there is a strategic purpose since the ISPs and corporations
manage/control differently when the traffic doesn't cross their edge
routers, proxies, firewalls, ...  But the nets need to be seeded somehow --
that's the mystery.

Not too many hits yet.  But here's the profile by number of hits.  Maybe
63.206.192.250 was the vector.

63.206.192.250 - NETBIOS
 ROC            <0x00> Unique  Workstation Service
 PDEDOMAIN      <0x00> Group   Domain Name
 ROC            <0x20> Unique  File Server Service
 PDEDOMAIN      <0x1e> Group   Potential Master Browser

63.206.30.58 - NETBIOS
 IIS            <0x00> Unique  Workstation Service
 IIS            <0x20> Unique  File Server Service
 AUTODYNAMIC    <0x00> Group   Domain Name
 AUTODYNAMIC    <0x1c> Group   Domain Controller
 AUTODYNAMIC    <0x1b> Unique  Domain Master Browser
 AUTODYNAMIC    <0x1e> Group   Potential Master Browser
 IIS            <0x03> Unique  Messenger Service
 AUTODYNAMIC    <0x1d> Unique  Master Browser
 ..__MSBROWSE__.<0x01> Group   Master Browser
 ADMINISTRATOR  <0x03> Unique  Messenger Service
 INet~Services  <0x1c> Group   Domain Controller
 IS~IIS.........<0x00> Unique  Workstation Service

  count source-address
  ----- --------------
     40 63.206.192.250
     30 63.206.30.58
      6 63.206.198.122
      5 63.206.188.211
      5 63.206.118.187
      4 63.206.42.146
      4 63.206.233.145
      4 63.206.196.193
      4 63.206.119.47
      3 63.206.250.203
      3 63.206.194.58
      3 63.206.194.46
      3 63.206.105.250
      2 63.206.117.140
      1 63.78.141.103
      1 63.36.54.186
      1 63.229.237.210
      1 63.229.17.5
      1 63.207.28.68
      1 63.206.91.144
      1 63.206.90.167
      1 63.206.196.81
      1 63.206.169.220
      1 63.206.138.92
      1 63.205.74.203
      1 63.203.96.69
      1 63.202.89.5
      1 63.202.221.30
      1 63.195.148.49
      1 63.122.141.133

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Paul Hustava
Sent: Saturday, August 04, 2001 2:50 PM
To: dshield at dshield.org
Subject: [Dshield] CodeRed Difference with 'new' XXX variant


When I first noticed the new variant of Code Red exploit attempt today, I
noticed the new 'GET' lines containing the XXXXX's (rather than the NNNNN's)
all had the same first octet as my IP address -- 63. .

<snip>




More information about the list mailing list