RE: New version of Code Red?

From: Nick Lehman (nicklat_private)
Date: Tue Jul 24 2001 - 19:43:08 PDT

Next message: Alfred Huger: "New Snort Signatures/ TESO Telnetd Overflow"

Previous message: Lance Spitzner: "Honeynet Project -> Know Your Enemy: Statistics"
In reply to: Dean Cunningham: "New version of Code Red?"
Next in thread: sleonard: "Re: New version of Code Red?"
Reply: sleonard: "Re: New version of Code Red?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looks very much like the URL eEye's 'Code Red Scanner' uses to test for
vulnerable machines.

http://www.eeye.com/html/Research/Tools/codered.html

Nick

-----Original Message-----
From: Dean Cunningham [mailto:Dean.Cunninghamat_private] 
Sent: Wednesday, 25 July 2001 7:32 AM
To: 'incidentsat_private'
Subject: New version of Code Red?


A FYI, I have yet to see anything in my logs.

cheers
Dean


-----Original Message-----
From: MVickat_private [mailto:MVickat_private] 
Sent: Wednesday, 25 July 2001 8:44 AM
To: NT System Admin Issues
Subject: New version of Code Red?


Computer at 172.158.225.228 does the 80 GET /x.ida, followed by AAA...
instead of NNN...
Then comes back 25 minutes later with 80 GET /iisstart.asp and 80 GET
/pagerror.gif


2001-07-23 11:05:32 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /x.ida
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X

200 -

2001-07-23 11:30:06 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET
/iisstart.asp
- 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)

2001-07-23 11:30:08 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET
/pagerror.gif
- 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)


And nslookup reports....


C:\>nslookup 172.158.255.228
Server:  xxxx.xxxxx.xxx
Address:  xxx.xxx.xxx.xxx

Name:    AC9EFFE4.ipt.aol.com
Address:  172.158.255.228



Michael Vick

***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Alfred Huger: "New Snort Signatures/ TESO Telnetd Overflow"
Previous message: Lance Spitzner: "Honeynet Project -> Know Your Enemy: Statistics"
In reply to: Dean Cunningham: "New version of Code Red?"
Next in thread: sleonard: "Re: New version of Code Red?"
Reply: sleonard: "Re: New version of Code Red?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 20:16:16 PDT