[unisog] Re: .ida Intrusion Attempt

Jeff Anderson-Lee jonah at galaxy.CS.Berkeley.EDU
Fri Jul 20 02:42:14 GMT 2001

Russell Fulton <r.fulton at auckland.ac.nz> wrote:
 :The external addresses that were detected by snort appear to be probing 
 :random addresses on port 80 -- just like the red worm does.
 :Are there two versions out there?

We have a linux host running ipchains that DENY's most connections
from the outside world.  It does not advertise any services, so
almost any DENYed packets are scans or probes.

Most of the port 80/tcp probes I'm seeing (via ipchains on linux) probe
6 times before giving up.  Over the past 24 hours I've also seen four
port 80 probes that probed 4 times and one that probed twice before
giving up, so these may be other scans or worms.  However, these
packets are being DENYed, and I have nothing but conjecture that they
are (not) .ida (Code Red) probes.

It could be that some of the packets are getting dropped by congested
routers.  But then I would expect to see odd numbers of packets, and
for some reason the number of packets is always even.

However, when I check the logs on another backwater web server we have,
I don't see any signs of a current buffer overflow attempt besides
the default.ida worm.  There was one "HEAD / HTTP/1.1" request from an
odd host that could be evidence of a probe, plus a number of singleton
requests for the home page and/or robots.txt, but nothing definitively

Jeff Anderson-Lee
System Manager, Digital Library Project
ERL, UC Berkeley

More information about the unisog mailing list