RE: http://www.worm.com/default.ida? requests

From: Marc Maiffret (marcat_private)
Date: Wed Aug 01 2001 - 13:37:54 PDT

Next message: Ken Lyon: "Re: I will start posting summaries."

Previous message: Michael Tavares: "Re: Code Red hits"
In reply to: Robin Stevens: "Re: http://www.worm.com/default.ida? requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Some web cacheing systems and sniffers take the Host: header from a HTTP
request and put that as the DNS name for the incoming IP address. and whats
in the codered host header? worm.com. So some things display worm.com as the
incoming/outgoing (depending on what packet your viewing) request.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

|-----Original Message-----
|From: Robin Stevens
|[mailto:robin.stevens@computing-services.oxford.ac.uk]
|Sent: Wednesday, August 01, 2001 11:07 AM
|To: incidentsat_private
|Subject: Re: http://www.worm.com/default.ida? requests
|
|
|On Wed, Aug 01, 2001 at 04:36:18PM +0100, Sean Kelly wrote:
|> 	My webcache is having a massive ammount of requests for
|> http://www.worm.com/default.ida?.  Is this an infected machine trying to
|> scan, or is this a scanner trying to detect compromised hosts?
|
|On the last round, the hosts trying to access it matched almost exactly
|those found to be vulnerable to Code Red.  One host managed 46 million
|requests over a 30 hour period.
|
|Once again we've got hosts hammering away at the cache with requests for
|that URL, and some admins not taking them offline when asked.  *sigh*
|
|--
|--------------- Robin Stevens  <robin.stevensat_private>
|-----------------
|Oxford University Computing Services ----------- Web:
|http://www.cynic.org.uk/
|------- (+44)(0)1865: 273212 (work) 273275 (fax)  Mobile: 07776
|235326 -------
|
|-------------------------------------------------------------------
|---------
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management
|and tracking system please see: http://aris.securityfocus.com
|
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ken Lyon: "Re: I will start posting summaries."
Previous message: Michael Tavares: "Re: Code Red hits"
In reply to: Robin Stevens: "Re: http://www.worm.com/default.ida? requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 14:28:22 PDT