Code Red(s) being confused with sadmind/IIS worm?

Stephen W. Thompson thompson at pobox.upenn.edu
Thu Aug 9 21:09:40 GMT 2001


Follow my line of thinking here.

In many cases, we're getting reports of Code Red for machines that are
not running Win2k -- Win9x or a unix variant.  We jump to the
conclusion that the reports were in error.

However, lots of the reports are not coming from signature-checking
sources (e.g., IDS), but rather are simply seen to be hitting port
80/tcp on a machine that isn't a (perhaps public) webserver.

So are a lot of the reports simply a distraction?  I don't think so.
I've noticed we have a good amount of the sadmind/IIS worm presence on
our network.  (See http://www.cert.org/advisories/CA-2001-11.html for
one writeup.)  Recall that this is the worm that hits Solaris boxes
with a sadmind buffer overflow, and then those machines go after IIS
with a Unicode directory traversal vulnerability.

If I'm correct, that implies a) sadmind/IIS is more prevalent than
we'd realized and, possibly b) that there might be a variant of
sadmind/IIS that succeeds on non-Solaris machines unlike the original
variant.  Any corroboration on (b) from anyone?

En paz,
Steve, (tired) security analyst
-- 
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompson at isc.upenn.edu    URL=http://pobox.upenn.edu/~thompson/index.html
  For security matters, use security at isc.upenn.edu, read by InfoSec staff
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.



More information about the unisog mailing list