[21702] in bugtraq
Re: 'Code Red' does not seem to be scanning for IIS
daemon@ATHENA.MIT.EDU (daniel uriah clemens)
Fri Jul 20 01:20:56 2001
Date: Thu, 19 Jul 2001 19:58:04 -0500 (CDT)
From: daniel uriah clemens <dclemens@mail.inline.com>
To: Ethan Butterfield <primus@veris.org>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20010719152518.A14984@veris.org>
Message-ID: <Pine.BSF.4.21.0107191952210.26922-100000@ns1.inlinenet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> In short, it looks like there's two sets of worms out there. One is
> scanning large contiguous netblocks in an obvious fashion, the other is
> hunting and pecking about random IP addresses.
Wrong!
What is happening is the worm always hits port 80 if it hits port 80 (
regardless if its apache or iis... its port 80 ) it then drops the buffer
overflow code on it.
I have seen 4800 attacks on 3 class c's so far I am about to hook in a
few more sensors all night.
The worm attacks a random ip on port 80 if the port is closed you see
this:
Jul 19 19:04:49 ephesians snort: IDS3/scan_Traceroute
TCP: 199.103.224.4:3183 ->
216.84.196.110:80
Jul 19 19:04:49 ephesians snort: IDS3/scan_Traceroute
TCP: 199.103.224.4:3183 ->
216.84.196.110:80
If port 80 is open you will then see this:
Jul 19 17:59:52 ephesians/216.84.194.200 snort: IDS552/web-iis_IIS ISAPI
Overflo
w ida: 203.69.169.4:2218 -> 216.84.194.3:80
Jul 19 17:59:52 ephesians/216.84.194.200 snort: IDS552/web-iis_IIS ISAPI
Overflow ida: 203.69.169.4:2218 -> 216.84.194.3:80
Also to add this is crashing novell bordermanager servers, cisco ios (
with web administration enabled etc etc... )
Hope this helps someone.
-Daniel Uriah Clemens
>
> - --
>
> "A true friend stabs you in the front."
> - Oscar Wilde
>
> -----BEGIN PGP SIGNATURE-----
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7V15N36NTGsm+2Z4RAlnTAJ9VCsZ7riUp3WknpU9q9ny6ynSAtACgzTYc
> cB7VrZUUKd6HIDmEXu8D6MU=
> =1leB
> -----END PGP SIGNATURE-----
>
