Re: New version of Code Red?

From: Jim Forster (jforsterat_private)
Date: Tue Jul 24 2001 - 15:24:53 PDT

  • Next message: John: "*BSD Telnetd"

    Confirmed, this one came across every server in one class C yesterday from
    the same address.
    (the hospital here in town, as a matter of fact..  Odd.)
    
    000 : 47 45 54 20 2F 78 2E 69 64 61 3F 41 41 41 41 41   GET /x.ida?AAAAA
    010 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    020 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    030 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    040 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    050 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    060 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    070 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    080 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    090 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    0a0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    0b0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    0c0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    0d0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
    0e0 : 41 41 41 41 41 41 41 3D 58 20 48 54 54 50 2F 31   AAAAAAA=X HTTP/1
    0f0 : 2E 31 0A 48 6F 73 74 3A 20 77 77 77 2E 77 6F 72   .1.Host: www.wor
    100 : 6D 2E 63 6F 6D 0D 0A 0D 0A                        m.com....
    
    ----- Original Message -----
    From: "Dean Cunningham" <Dean.Cunninghamat_private>
    To: <incidentsat_private>
    Sent: Tuesday, July 24, 2001 4:02 PM
    Subject: New version of Code Red?
    
    
    > A FYI, I have yet to see anything in my logs.
    >
    > cheers
    > Dean
    >
    >
    > -----Original Message-----
    > From: MVickat_private [mailto:MVickat_private]
    > Sent: Wednesday, 25 July 2001 8:44 AM
    > To: NT System Admin Issues
    > Subject: New version of Code Red?
    >
    >
    > Computer at 172.158.225.228 does the 80 GET /x.ida, followed by AAA...
    > instead of NNN...
    > Then comes back 25 minutes later with 80 GET /iisstart.asp and 80 GET
    > /pagerror.gif
    >
    >
    > 2001-07-23 11:05:32 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /x.ida
    >
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    >
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X
    >
    > 200 -
    >
    > 2001-07-23 11:30:06 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /iisstart.asp
    > - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
    >
    > 2001-07-23 11:30:08 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /pagerror.gif
    > - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
    >
    >
    > And nslookup reports....
    >
    >
    > C:\>nslookup 172.158.255.228
    > Server:  xxxx.xxxxx.xxx
    > Address:  xxx.xxx.xxx.xxx
    >
    > Name:    AC9EFFE4.ipt.aol.com
    > Address:  172.158.255.228
    >
    >
    >
    > Michael Vick
    >
    > ***************************************************
    > This e-mail is  not an  official  statement of  the
    > Waikato  Regional  Council unless otherwise stated.
    > Visit our website http://www.ew.govt.nz
    > ***************************************************
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 20:06:17 PDT