[21676] in bugtraq
RE: 'Code Red' does not seem to be scanning for IIS
daemon@ATHENA.MIT.EDU (Marc Maiffret)
Thu Jul 19 19:05:43 2001
From: "Marc Maiffret" <marc@eeye.com>
To: "Mike Brockman" <phubuh@home.se>, <bugtraq@securityfocus.com>
Date: Thu, 19 Jul 2001 22:28:32 -0000
Message-ID: <EIEOJCKGEPCLJHGCNNOPKEBLEBAA.marc@eeye.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <Pine.LNX.4.33.0107192320500.6474-100000@igloo>
the worm just tries port 80 on ip's. doesnt care if its IIS or not.
also as for the ip seed thing... we have heard reports there is a variant
worm that is doing truly random IP addresses. We dont have any more info on
that though.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
|-----Original Message-----
|From: Mike Brockman [mailto:phubuh@home.se]
|Sent: Thursday, July 19, 2001 9:33 PM
|To: bugtraq@securityfocus.com
|Subject: 'Code Red' does not seem to be scanning for IIS
|
|
|>From what i read about the 'Code Red'-worm, it was supposed to be scanning
|for IIS-servers. It obviously is'nt, i believe it tries to infect
|everything they find on port 80, or something as simple as that.
|
|About three to four days ago, i started to get those default.ida-GET's in
|my Apache-logs. I shut down the server as fast as i could, and checked for
|outgoing connections from my computer, and then did some research.
|I was told that it was an IIS-worm, and that it could'nt affect
|Apache-servers, so i was safe. I turned the server back on, and from that
|day i have received forty-one attempts.
|
|How can this be? Why am i getting so few attempts, if it is as eEye says
|-- that every worm-instance has the same seed?
|I should be getting tons and tons of tries, if the worm has been around
|for this long. Or is it that my IP is high up in the "sequence", and not
|many comes that far? If that is the case, the number should be increasing
|fast in the near future, right?
|
|I'll come back with a report in a week or so.
|
|________________________________
| m'name be mike brockman! jeeh!
|_ooh,_und_dunt_feed_my_eskimoes_
|
|
