[Dshield] Watch the fakeworms !

David Watson david.watson at ioko365.com
Tue Aug 7 16:50:01 GMT 2001


Patrick/Wayne

No offence to anyone, but I would expect that these log entries are indeed 
either manual generated or script generated and not a Code Red II 
signature. If they were, you would see the expect to see the following in 
your logs:

211.195.147.133 - - [ 7/Aug/2001:12:56:24 +0100] "GET 
http:/site/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" - - "-"

Note your scans have no shell code injection vector, but they do have the 
(potentially spoofed) browser fields of a Windows client, and use 
persistent HTTP/1.1 requests (unlike Code Red).

Just because the probe isn`t from Code Red, it doesn`t mean that someone is 
not trying to test your server using the same attack method.

Hope this helps,

David

At 08:34 07/08/2001 -0500, you wrote:
>Patrick,
>
>First the requests are not "fake", but rather the latest off shoot of the 
>original Code Red worm.  This one, some have dubbed Code Red II, leaves an 
>available backdoor into your IIS system that can be exploited at any 
>time.  If you are running an IIS server and patched it for the original 
>Code Red worm then you are safe from infection.  If you never installed 
>the IIS patch from Microsoft then you should do that as it blocks 
>both  the original and this new strain that started broadcasting this past 
>weekend.
>
>Wayne
>
>
> >>> patrick at pine.nl 08/07/01 02:34:47 >>>
>Hi,
>
>I keep getting 'fake' worm requests. What could be the use of these,
>except being sad?
>
>128.218.8.173 - - [ 7/Aug/2001:09:27:59 +0200] "GET 
>http://213.156.3.18/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
>HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE.4.01; Windows NT)"
>
>24.132.72.194 - - [ 7/Aug/2001:09:29:28 +0200] "GET 
>http://www.pine.nl/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
>HTTP/1.1" - - "-" "Mozilla/4.0 (compatible;MSIE 5.5; Windows NT 5.0)"
>
>         Patrick
>
>
>--
>  Patrick Oonk - PO1-6BONE - E: patrick at pine.nl - www.pine.nl/~patrick
>  Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk at my.security.nl
>  T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl
>  PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
>  Excuse of the day: Boss' kid fucked up the machine
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www1.dshield.org/mailman/listinfo/dshield
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www1.dshield.org/mailman/listinfo/dshield

--
David Watson                    Voice:  +44 1904 438000
Technical Manager               Fax:    +44 1904 435450
ioko365                 Email:  david.watson at ioko365.com




More information about the list mailing list