[21678] in bugtraq
RE: 'Code Red' does not seem to be scanning for IIS
daemon@ATHENA.MIT.EDU (Kelly Martin)
Thu Jul 19 19:16:05 2001
Message-ID: <995553B4C2DBD3119BFA0090278A73710B6C29@prbdc.fb.org>
From: Kelly Martin <kellym@fb00.fb.org>
To: "'Mike Brockman'" <phubuh@home.se>, bugtraq@securityfocus.com
Date: Thu, 19 Jul 2001 17:21:06 -0500
MIME-Version: 1.0
Content-Type: text/plain
Our principal web server (which services some 50-odd virtual domains) has
taken over 500 hits from "Code Red" worms since around 10am today. It runs
Apache, so it doesn't present a security risk, but it is tending to annoy
our already-overloaded network pipe (we have four Class C's squeezed into
one T1 line). Prior to today at around 11am there is no record in our
logfiles for that server, which go back to 10 July.
Our servers all started to see hits at about the same time, around 10 am
central time. Two of them, NT 4.0 SP6a systems with IIS 5, died, one
repeatedly, before we figured out what was going on. The attacks come from
widely variable hosts (no discernable pattern). I've tracked nearly a
thousand hits on our IP block in the past six hours or so with none before
that, and that doesn't even count the ones that smacked silently against the
firewall (port 80 is only open through the firewall to hosts that actually
run public web servers, which is only a tiny fraction of the IPs in the
block).
My cable modem has also started to get hit today, for the first time as far
as I know, as has our off-site ecommerce server. I suspect that this is a
fresh launch, possibly with a modified code base from the original Red Code
worm.
Kelly Martin
American Farm Bureau Federation
> -----Original Message-----
> From: Mike Brockman [SMTP:phubuh@home.se]
> Sent: Thursday, July 19, 2001 4:33 PM
> To: bugtraq@securityfocus.com
> Subject: 'Code Red' does not seem to be scanning for IIS
>
> From what i read about the 'Code Red'-worm, it was supposed to be scanning
> for IIS-servers. It obviously is'nt, i believe it tries to infect
> everything they find on port 80, or something as simple as that.
>
> About three to four days ago, i started to get those default.ida-GET's in
> my Apache-logs. I shut down the server as fast as i could, and checked for
> outgoing connections from my computer, and then did some research.
> I was told that it was an IIS-worm, and that it could'nt affect
> Apache-servers, so i was safe. I turned the server back on, and from that
> day i have received forty-one attempts.
>
> How can this be? Why am i getting so few attempts, if it is as eEye says
> -- that every worm-instance has the same seed?
> I should be getting tons and tons of tries, if the worm has been around
> for this long. Or is it that my IP is high up in the "sequence", and not
> many comes that far? If that is the case, the number should be increasing
> fast in the near future, right?
>
> I'll come back with a report in a week or so.
>
> ________________________________
> m'name be mike brockman! jeeh!
> _ooh,_und_dunt_feed_my_eskimoes_
