Re(2): 'Code Red' does not seem to be scanning for IIS

From: Ken Eichman (keichmanat_private)
Date: Thu Jul 19 2001 - 16:15:32 PDT

Next message: Vern Paxson: "Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm."

Previous message: Marc Maiffret: "RE: 'Code Red' does not seem to be scanning for IIS"
In reply to: Kelly Martin: "RE: 'Code Red' does not seem to be scanning for IIS"
Next in thread: Phillip Reed: "Re: Re(2): 'Code Red' does not seem to be scanning for IIS"
Next in thread: Duncan Hill: "RE: 'Code Red' does not seem to be scanning for IIS"
Next in thread: Marc Maiffret: "RE: 'Code Red' does not seem to be scanning for IIS"
Reply: Phillip Reed: "Re: Re(2): 'Code Red' does not seem to be scanning for IIS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can correlate what Kelly reports -- *something* happened between 14-1500 GMT
today to drastically increase the number of 'code red' scans/infections. I've
been tracking them since Saturday on my IDS. Our class-b address space appears
to be high up on the worms scanning pattern. For all of 7/18 I recorded probes
from 8247 unique host IP addresses, presumably compromised with 'code red'.
Just during the 1900GMT hour today - one hour of logs - I recorded 'code red'
hits from 115124 different IP addresses. All of these probes are bouncing off
our firewall. The drastic increase in infections/probes began between 1300-
1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT.

Ken Eichman                  Senior Security Engineer
Chemical Abstracts Service   Tel:   (614) 447-3838 ext 3230
2540 Olentangy River Road    Fax:   (614) 447-3855
Columbus, OH 43210           Email: keichmanat_private

> From: Kelly Martin <kellymat_private>
> To: "'Mike Brockman'" <phubuhat_private>, bugtraqat_private
> Subject: RE: 'Code Red' does not seem to be scanning for IIS
> Date: Thu, 19 Jul 2001 17:21:06 -0500

> Our principal web server (which services some 50-odd virtual domains) has
> taken over 500 hits from "Code Red" worms since around 10am today.  It runs
> Apache, so it doesn't present a security risk, but it is tending to annoy
> our already-overloaded network pipe (we have four Class C's squeezed into
> one T1 line).  Prior to today at around 11am there is no record in our
> logfiles for that server, which go back to 10 July.
>
> Our servers all started to see hits at about the same time, around 10 am
> central time.  Two of them, NT 4.0 SP6a systems with IIS 5, died, one
> repeatedly, before we figured out what was going on.  The attacks come from
> widely variable hosts (no discernable pattern).  I've tracked nearly a
> thousand hits on our IP block in the past six hours or so with none before
> that, and that doesn't even count the ones that smacked silently against the
> firewall (port 80 is only open through the firewall to hosts that actually
> run public web servers, which is only a tiny fraction of the IPs in the
> block).
>
> My cable modem has also started to get hit today, for the first time as far
> as I know, as has our off-site ecommerce server.  I suspect that this is a
> fresh launch, possibly with a modified code base from the original Red Code
> worm.
>
> Kelly Martin
> American Farm Bureau Federation

Next message: Vern Paxson: "Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm."
Previous message: Marc Maiffret: "RE: 'Code Red' does not seem to be scanning for IIS"
In reply to: Kelly Martin: "RE: 'Code Red' does not seem to be scanning for IIS"
Next in thread: Phillip Reed: "Re: Re(2): 'Code Red' does not seem to be scanning for IIS"
Next in thread: Duncan Hill: "RE: 'Code Red' does not seem to be scanning for IIS"
Next in thread: Marc Maiffret: "RE: 'Code Red' does not seem to be scanning for IIS"
Reply: Phillip Reed: "Re: Re(2): 'Code Red' does not seem to be scanning for IIS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 17:43:18 PDT