Code Red(s) being confused with sadmind/IIS worm?
Stephen W. Thompson
thompson at pobox.upenn.edu
Thu Aug 9 21:09:40 GMT 2001
Follow my line of thinking here.
In many cases, we're getting reports of Code Red for machines that are
not running Win2k -- Win9x or a unix variant. We jump to the
conclusion that the reports were in error.
However, lots of the reports are not coming from signature-checking
sources (e.g., IDS), but rather are simply seen to be hitting port
80/tcp on a machine that isn't a (perhaps public) webserver.
So are a lot of the reports simply a distraction? I don't think so.
I've noticed we have a good amount of the sadmind/IIS worm presence on
our network. (See http://www.cert.org/advisories/CA-2001-11.html for
one writeup.) Recall that this is the worm that hits Solaris boxes
with a sadmind buffer overflow, and then those machines go after IIS
with a Unicode directory traversal vulnerability.
If I'm correct, that implies a) sadmind/IIS is more prevalent than
we'd realized and, possibly b) that there might be a variant of
sadmind/IIS that succeeds on non-Solaris machines unlike the original
variant. Any corroboration on (b) from anyone?
Steve, (tired) security analyst
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompson at isc.upenn.edu URL=http://pobox.upenn.edu/~thompson/index.html
For security matters, use security at isc.upenn.edu, read by InfoSec staff
The only safe choice: Write e-mail as if it's public. Cuz it could be.
More information about the unisog