Hi- Today I have received attempts from someone on your network (IP: 201.35.181.208) to exploit the "Code Red" vulnerability that exists in Microsoft IIS. Using the Unix tool "host" I determined that the IP 201.35.181.208 resolves to nwmrb35210.smarttadsl.com as demonstrated: [root@bachmann <mailto:root@bachmann> /root]# host 208.181.35.210 210.35.181.208.in-addr.arpa. domain name pointer nwmrb35210.smarttadsl.com. Below are the commands I used to determine that this computer has attempted to infect my machine. *Accrding to my Apache logs:* [root@bachmann <mailto:root@bachmann> /root]# grep ida? /var/log/httpd/access_log 208.181.35.210 - - [01/Aug/2001:11:40:04 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 324 [root@bachmann <mailto:root@bachmann> /root]# grep 208.181.35.210 /var/log/httpd/error_log [Wed Aug 1 11:40:03 2001] [error] [client 208.181.35.210] Client sent malformed Host header *And from my Firewall logs:* [root@bachmann <mailto:root@bachmann> /root]# grep SRC=208.181.35.210 /var/log/kerninfo Aug 1 12:14:24 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=15376 DF PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0 Aug 1 12:14:27 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=15458 DF PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0 Aug 1 12:14:33 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=15645 DF PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0 Aug 1 12:14:45 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=16041 DF PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0 Aug 1 12:15:09 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=16816 DF PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0 Aug 1 12:15:57 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=18389 DF PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0 I would appreciate action being taken to correct this matter. -- Regards, N ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 10:45:22 PDT