Code Red(s) being confused with sadmind/IIS worm?

H C keydet89 at yahoo.com
Thu Aug 9 23:31:03 GMT 2001


Steve,

> In many cases, we're getting reports of Code Red for
> machines that are
> not running Win2k -- Win9x or a unix variant.  We
> jump to the
> conclusion that the reports were in error.

Yes, I've been seeing this in other lists, and on
Usenet.  Not only have cases been misreported by
admins who may or may not be knowledgeable enough to
report such things, but folks reporting just about any
unusual activity on port 80 in the past 2 wks,
regardless of web server (or the absence thereof) have
been told by others that it's Code Red.

> However, lots of the reports are not coming from
> signature-checking
> sources (e.g., IDS), but rather are simply seen to
> be hitting port
> 80/tcp on a machine that isn't a (perhaps public)
> webserver.

As the Code Red worm scans rather indiscriminantly for
hosts to infect, a lot of us are seeing SYN packets to
port 80.  With no other activity to observe, many may
be making the assumption that it's the result of Code
Red, and instead of report 200 SYN packets to port 80,
they are reporting 200 attempts at Code Red.  Many of
the SYN packets may not be from infected systems at
all, but rather may be folks using the eEye tool (or
any of the variants) to look for unpatched system, or
systems with root.exe in the /scripts or /msadc
directory.  

But again...many folks (particularly home users with
BlackIce or ZA) are seeing the scans and reporting the
SYN packets as Code Red.

>  Any corroboration on (b) from anyone?

That would be interesting to see.  After all, the IIS
exploit used by sadmin/IIS was patched about 7 or so
months before the worm came out.  There is no reason
to assume that there aren't still unpatched servers
out there...


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/



More information about the unisog mailing list