the worm just tries port 80 on ip's. doesnt care if its IIS or not. also as for the ip seed thing... we have heard reports there is a variant worm that is doing truly random IP addresses. We dont have any more info on that though. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities |-----Original Message----- |From: Mike Brockman [mailto:phubuhat_private] |Sent: Thursday, July 19, 2001 9:33 PM |To: bugtraqat_private |Subject: 'Code Red' does not seem to be scanning for IIS | | |>From what i read about the 'Code Red'-worm, it was supposed to be scanning |for IIS-servers. It obviously is'nt, i believe it tries to infect |everything they find on port 80, or something as simple as that. | |About three to four days ago, i started to get those default.ida-GET's in |my Apache-logs. I shut down the server as fast as i could, and checked for |outgoing connections from my computer, and then did some research. |I was told that it was an IIS-worm, and that it could'nt affect |Apache-servers, so i was safe. I turned the server back on, and from that |day i have received forty-one attempts. | |How can this be? Why am i getting so few attempts, if it is as eEye says |-- that every worm-instance has the same seed? |I should be getting tons and tons of tries, if the worm has been around |for this long. Or is it that my IP is high up in the "sequence", and not |many comes that far? If that is the case, the number should be increasing |fast in the near future, right? | |I'll come back with a report in a week or so. | |________________________________ | m'name be mike brockman! jeeh! |_ooh,_und_dunt_feed_my_eskimoes_ | |
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:04:39 PDT