RE: New version of Code Red?

From: Nick Lehman (nicklat_private)
Date: Tue Jul 24 2001 - 19:43:08 PDT

  • Next message: Alfred Huger: "New Snort Signatures/ TESO Telnetd Overflow"

    Looks very much like the URL eEye's 'Code Red Scanner' uses to test for
    vulnerable machines.
    
    http://www.eeye.com/html/Research/Tools/codered.html
    
    Nick
    
    -----Original Message-----
    From: Dean Cunningham [mailto:Dean.Cunninghamat_private] 
    Sent: Wednesday, 25 July 2001 7:32 AM
    To: 'incidentsat_private'
    Subject: New version of Code Red?
    
    
    A FYI, I have yet to see anything in my logs.
    
    cheers
    Dean
    
    
    -----Original Message-----
    From: MVickat_private [mailto:MVickat_private] 
    Sent: Wednesday, 25 July 2001 8:44 AM
    To: NT System Admin Issues
    Subject: New version of Code Red?
    
    
    Computer at 172.158.225.228 does the 80 GET /x.ida, followed by AAA...
    instead of NNN...
    Then comes back 25 minutes later with 80 GET /iisstart.asp and 80 GET
    /pagerror.gif
    
    
    2001-07-23 11:05:32 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /x.ida
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X
    
    200 -
    
    2001-07-23 11:30:06 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET
    /iisstart.asp
    - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
    
    2001-07-23 11:30:08 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET
    /pagerror.gif
    - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
    
    
    And nslookup reports....
    
    
    C:\>nslookup 172.158.255.228
    Server:  xxxx.xxxxx.xxx
    Address:  xxx.xxx.xxx.xxx
    
    Name:    AC9EFFE4.ipt.aol.com
    Address:  172.158.255.228
    
    
    
    Michael Vick
    
    ***************************************************
    This e-mail is  not an  official  statement of  the
    Waikato  Regional  Council unless otherwise stated.
    Visit our website http://www.ew.govt.nz
    ***************************************************
    
    ------------------------------------------------------------------------
    ----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 20:16:16 PDT