We've injected a copy of the Code Red worm onto one of our lab systems
(Windows 2000 Server with SP1; IIS 5.0 with no content additions or
configuration changes, e.g., the "The site you were trying to reach
does not currently have a default page" home page; idq.dll from prior
to the MS01-033/Q300972 patch). A few preliminary notes:
-- Within about 10 seconds after the worm data was sent, the victim
machine began generating port-80 SYN packets to many random IP
addresses, as described in the other reports of this worm.
However, there was no "Hacked By Chinese!" home page created on
this machine. Also, in a similar attack on a Windows 2000 Server
machine that had a brief c:\inetpub\wwwroot\default.htm file, the
attack did not result in that home page being changed or
replaced. I have also heard other reports of Code Red activity on
machines that did not have a home-page defacement.
This suggests that scanning your own networks for machines with
a "Hacked By Chinese!" home page might not be an especially
comprehensive way to identify machines compromised by Code Red.
-- The victim machine sends the string "GET " to the attacking
machine over the TCP connection that was used for the attack.
It's possible that looking for short outgoing packets ending with
the application data "GET ", with TCP source port 80, may be a
useful way to detect breakins in some environments.
-- fport (http://www.foundstone.com/rdlabs/proddesc/fport.html)
listed about 100 TCP ports for inetinfo.exe on the victim
machine. This may be useful in a rough first pass at assessing
whether a suspected machine was compromised by Code Red.
Matt Power
BindView Corporation, RAZOR Team
mhpowerat_private
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 11:59:53 PDT