[39681] in North American Network Operators' Group
RE: Code Red
daemon@ATHENA.MIT.EDU (Joe Blanchard)
Thu Jul 19 23:56:17 2001
Message-ID: <E9BBE0941932D511934C0002A52CDB4E2D0793@sj-exchange.wyse.com>
From: Joe Blanchard <jblanchard@wyse.com>
To: 'Dave Stewart' <dbs@ntrnet.net>, nanog@merit.edu
Date: Thu, 19 Jul 2001 20:54:42 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C110CF.B4D57FD0"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C110CF.B4D57FD0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Only thing I have seen as far as attempts to attack a web server is the
following from an apache server:
(ip addy masked, although I did see some from a 10 addy)
10.10.18.109 - - [19/Jul/2001:09:03:53 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN=
NNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN=
NNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN=
NNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc=
bd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=3D=
a
HTTP/1.0" 404 205 "-" "-"=20
I'm still not sure what this exploit does, other than return a strange =
error
page, not a 404 on an MS IIS system, but more like a "failed SQL query" =
page
on the ones I've tested. I've not had enough time to further this =
exploit.
As for the payload of these items, some of the systems that attempted =
this
seemed to be unpatched for the exploit regarding getting a root shell. =
Of
the ones I had been able to see the exploit on, there was an exe in the
scripts directory called root.exe, which turns out to be a copy of =
cmd.exe.=20
In short, I would assume that if the boxes in question had that exploit =
any
number of payloads(timebombs) could have been deployed.
I just figure I'll put up a page called Default.ida on Apache server, =
some
ads and start charging for the hits..
Just my 2=A2s
-Joe
-----Original Message-----
From: Dave Stewart [mailto:dbs@ntrnet.net]
Sent: Thursday, July 19, 2001 8:32 PM
To: nanog@merit.edu
Subject: Re: Code Red
At 11:12 PM 7/19/2001, lucifer@lightbearer.com wrote:
>Reports from our monitoring systems saw the CPU usage jump by =
somewhere
>between 150-200% for our core routers today; our current theory is =
that
Web servers that were hit beginning this morning at 11:26:41 EDT have =
not=20
seen another attempt since 19:49:53.
I'm wondering if this because it was coming up on 00:00:00 GMT =
20-July-2001.
According to the PC-Cillin write up, the 100-thread scan only takes =
place=20
if the system date is less than 20, but if it's 20-28, it launches it's =
DOS=20
attack at www1.whitehouse.gov
Does anybody really know yet what payloads this thing is carrying?
------_=_NextPart_001_01C110CF.B4D57FD0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Code Red</TITLE>
</HEAD>
<BODY>
<BR>
<P><FONT SIZE=3D2>Only thing I have seen as far as attempts to attack a =
web server is the following from an apache server:</FONT>
<BR><FONT SIZE=3D2>(ip addy masked, although I did see some from a 10 =
addy)</FONT>
<BR><FONT SIZE=3D2>10.10.18.109 - - [19/Jul/2001:09:03:53 -0400] =
"GET =
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN=
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN=
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN=
NNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9=
090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0=
078%u0000%u00=3Da HTTP/1.0" 404 205 "-" "-" =
</FONT></P>
<P><FONT SIZE=3D2>I'm still not sure what this exploit does, other than =
return a strange error page, not a 404 on an MS IIS system, but more =
like a "failed SQL query" page on the ones I've tested. I've =
not had enough time to further this exploit.</FONT></P>
<P><FONT SIZE=3D2>As for the payload of these items, some of the =
systems that attempted this seemed to be unpatched for the exploit =
regarding getting a root shell. Of the ones I had been able to see the =
exploit on, there was an exe in the scripts directory called root.exe, =
which turns out to be a copy of cmd.exe. </FONT></P>
<P><FONT SIZE=3D2>In short, I would assume that if the boxes in =
question had that exploit any number of payloads(timebombs) could have =
been deployed.</FONT></P>
<P><FONT SIZE=3D2>I just figure I'll put up a page called Default.ida =
on Apache server, some ads and start charging for the hits..</FONT>
</P>
<P><FONT SIZE=3D2>Just my 2=A2s</FONT>
<BR><FONT SIZE=3D2>-Joe</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Dave Stewart [<A =
HREF=3D"mailto:dbs@ntrnet.net">mailto:dbs@ntrnet.net</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, July 19, 2001 8:32 PM</FONT>
<BR><FONT SIZE=3D2>To: nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>Subject: Re: Code Red</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2>At 11:12 PM 7/19/2001, lucifer@lightbearer.com =
wrote:</FONT>
<BR><FONT SIZE=3D2>>Reports from our monitoring systems saw the CPU =
usage jump by somewhere</FONT>
<BR><FONT SIZE=3D2>>between 150-200% for our core routers today; our =
current theory is that</FONT>
</P>
<P><FONT SIZE=3D2>Web servers that were hit beginning this morning at =
11:26:41 EDT have not </FONT>
<BR><FONT SIZE=3D2>seen another attempt since 19:49:53.</FONT>
</P>
<P><FONT SIZE=3D2>I'm wondering if this because it was coming up on =
00:00:00 GMT 20-July-2001.</FONT>
</P>
<P><FONT SIZE=3D2>According to the PC-Cillin write up, the 100-thread =
scan only takes place </FONT>
<BR><FONT SIZE=3D2>if the system date is less than 20, but if it's =
20-28, it launches it's DOS </FONT>
<BR><FONT SIZE=3D2>attack at www1.whitehouse.gov</FONT>
</P>
<P><FONT SIZE=3D2>Does anybody really know yet what payloads this thing =
is carrying?</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C110CF.B4D57FD0--
