[Dshield] Code Red ISAPI Overflows and UDP 2380

Thompson, John J ThompsonJJ at mail.medicine.uiowa.edu
Mon Aug 6 17:24:59 GMT 2001


My aplogies to all for the short explanation. 

I have a windows 2000 webserver running IIS5. I have patched it for code red
and I have all ports blocked except for 21,80,137-139. I have black ice
server agent monitoring the system. Black ice logs are showing plenty of
ISAPI extention overflows (caused by code red) that are followed by 10 UDP
probe to port 2380. This seems odd and I wanted to see if anyone was seeing
this as well. If others are seeing this, is it caused by a variant of code
red that is trying to exploit something or connect to something on 2380?
Once this is detected by black ice, the connection is terminated, so Im not
getting additional packet logs. 

--------------------
Date:       Time:       Attack:                    Inruder:        My IP:
Data:        Count:  

2001-08-06 06:05:55   ISAPI extension overflow  210.242.211.42  128.255.x.y
length=362&URL=/default.ida&arg=NNN (cropped)
	1
2001-08-06 06:07:15   UDP port probe            210.242.211.42  128.255.z.y
port=2380&reason=Firewalled	10
--------------------

Thanks,
John

------------------------------------
John Thompson
Network Administrator
Dept. of Biochemistry
University of Iowa




More information about the list mailing list