Code Red Scans

From: Nicholas Bachmann (nbachmannat_private)
Date: Wed Aug 01 2001 - 10:32:59 PDT

Next message: Ryan Russell: "A note about logging hostname vs. IP address"

Previous message: Richard Bradford: "RE: Code Red Scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Hi-

Today I have received attempts from someone on your network (IP: 
201.35.181.208) to exploit the "Code
Red" vulnerability that exists in Microsoft IIS.  Using the Unix tool 
"host" I determined that the IP
201.35.181.208 resolves to nwmrb35210.smarttadsl.com as demonstrated:

[root@bachmann <mailto:root@bachmann> /root]# host 208.181.35.210
210.35.181.208.in-addr.arpa. domain name pointer nwmrb35210.smarttadsl.com.

Below are the commands I used to determine that this computer has 
attempted to infect my machine.

*Accrding to my Apache logs:*

[root@bachmann <mailto:root@bachmann> /root]# grep ida? 
/var/log/httpd/access_log
208.181.35.210 - - [01/Aug/2001:11:40:04 -0400] "GET 
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  
HTTP/1.0" 400 324

[root@bachmann <mailto:root@bachmann> /root]# grep 208.181.35.210 
/var/log/httpd/error_log
[Wed Aug  1 11:40:03 2001] [error] [client 208.181.35.210] Client sent 
malformed Host header

*And from my Firewall logs:*

[root@bachmann <mailto:root@bachmann> /root]# grep SRC=208.181.35.210 
/var/log/kerninfo
Aug  1 12:14:24 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 
DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=15376 DF 
PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0
Aug  1 12:14:27 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 
DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=15458 DF 
PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0
Aug  1 12:14:33 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 
DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=15645 DF 
PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0
Aug  1 12:14:45 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 
DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=16041 DF 
PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0
Aug  1 12:15:09 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 
DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=16816 DF 
PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0
Aug  1 12:15:57 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210 
DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=18389 DF 
PROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0

I would appreciate action being taken to correct this matter.

-- 
		Regards,
		N



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ryan Russell: "A note about logging hostname vs. IP address"
Previous message: Richard Bradford: "RE: Code Red Scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 10:45:22 PDT