RE: CRv2 multiple scans from same source IP

From: Andrew Cruse (acruse@design-synergy.com)
Date: Mon Aug 06 2001 - 13:46:52 PDT

Next message: Paul Gear: "Re: CRv2 multiple scans from same source IP"

Previous message: H C: "Re: Was RE: disinfection tool -- now a minor rant."
In reply to: Lee Smith: "Re: CRv2 multiple scans from same source IP"
Next in thread: Ryan Russell: "Re: CRv2 multiple scans from same source IP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One possibility we seem to be overlooking here is that it's
conceivable that we have several servers with RFC 1918 addresses
sitting behind a firewall/proxy in some kind of NAT/portforwarding
setup, and the IP in the logs is actually the IP address of the
firewall.  

Andrew

- -----Original Message-----
From: Lee Smith [mailto:leeat_private]
Sent: Monday, August 06, 2001 3:15 PM
To: corecode
Cc: jwd_odsat_private; incidentsat_private
Subject: Re: CRv2 multiple scans from same source IP



> NOW: CodeRedII (this name is easily mistaken with CRv2, so i would
> suppose  another name: i stared calling it ida_root since my first
> analysis on 5th  aug, 7:34 GMT)
> this worm alway only infects one host _once_. it checks for double
> infection. it could generate the same ip address again in it's PRNG
> but the chance  this happening is near 0.


you would think it should be near 0, but unless im mistaken this
should be CR II correct?

x.x.x.x - - [06/Aug/2001:09:18:20 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 278
x.x.x.x - - [06/Aug/2001:09:18:23 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:13 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:53 -0500] <snip>
x.x.x.x - - [06/Aug/2001:09:23:57 -0500] <snip>

all from the same ip address out of my apache logs.

- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO28CPNU0NpnwXzrpEQIHtACg+frXpSxFREhPxHBNZnF//V0J2T0AmQFS
XKpEQVXeUUkzmKGcTZ66sL9s
=XGwf
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Paul Gear: "Re: CRv2 multiple scans from same source IP"
Previous message: H C: "Re: Was RE: disinfection tool -- now a minor rant."
In reply to: Lee Smith: "Re: CRv2 multiple scans from same source IP"
Next in thread: Ryan Russell: "Re: CRv2 multiple scans from same source IP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 14:31:01 PDT