RE: Full analysis of the .ida "Code Red" worm.

From: Marc Maiffret (marcat_private)
Date: Thu Jul 19 2001 - 16:14:15 PDT

  • Next message: Ulrich Keil: "RE: .ida Intrusion Attempt"

    its a destination port 80 not source
    
    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
    
    |-----Original Message-----
    |From: corecode [mailto:simonsat_private]
    |Sent: Thursday, July 19, 2001 11:09 AM
    |To: incidentsat_private
    |Subject: Re: Full analysis of the .ida "Code Red" worm.
    |
    |
    |At 06:17 AM 7/19/2001, aleph1at_private wrote:
    |>----- Forwarded message from Marc Maiffret <marcat_private> -----
    |>8. Infect a new host (send .ida worm to a "random" IP address on port 80).
    |>
    |>At this point the worm will resend itself to any IP addresses which it can
    |>connect to port 80 on. It uses multiple send()'s so packet traffic may be
    |>broken up. On a successful completion of send, it closes the
    |socket and goes
    |>to step 6... therefore repeating this loop infinitely.
    |
    |i wonder if these connects originate from port 80, too
    |somewhere i read about a source port 80, but maybe i mistake this with the
    |acknowledging "GET"
    |
    |greets,
    |   corecode
    |
    |
    |
    |-------------------------------------------------------------------
    |---------
    |
    |
    |This list is provided by the SecurityFocus ARIS analyzer service.
    |For more information on this free incident handling, management
    |and tracking system please see:
    |
    |http://aris.securityfocus.com
    |
    |
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 20:03:09 PDT