We've injected a copy of the Code Red worm onto one of our lab systems (Windows 2000 Server with SP1; IIS 5.0 with no content additions or configuration changes, e.g., the "The site you were trying to reach does not currently have a default page" home page; idq.dll from prior to the MS01-033/Q300972 patch). A few preliminary notes: -- Within about 10 seconds after the worm data was sent, the victim machine began generating port-80 SYN packets to many random IP addresses, as described in the other reports of this worm. However, there was no "Hacked By Chinese!" home page created on this machine. Also, in a similar attack on a Windows 2000 Server machine that had a brief c:\inetpub\wwwroot\default.htm file, the attack did not result in that home page being changed or replaced. I have also heard other reports of Code Red activity on machines that did not have a home-page defacement. This suggests that scanning your own networks for machines with a "Hacked By Chinese!" home page might not be an especially comprehensive way to identify machines compromised by Code Red. -- The victim machine sends the string "GET " to the attacking machine over the TCP connection that was used for the attack. It's possible that looking for short outgoing packets ending with the application data "GET ", with TCP source port 80, may be a useful way to detect breakins in some environments. -- fport (http://www.foundstone.com/rdlabs/proddesc/fport.html) listed about 100 TCP ports for inetinfo.exe on the victim machine. This may be useful in a rough first pass at assessing whether a suspected machine was compromised by Code Red. Matt Power BindView Corporation, RAZOR Team mhpowerat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 11:59:53 PDT