-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One possibility we seem to be overlooking here is that it's conceivable that we have several servers with RFC 1918 addresses sitting behind a firewall/proxy in some kind of NAT/portforwarding setup, and the IP in the logs is actually the IP address of the firewall. Andrew - -----Original Message----- From: Lee Smith [mailto:leeat_private] Sent: Monday, August 06, 2001 3:15 PM To: corecode Cc: jwd_odsat_private; incidentsat_private Subject: Re: CRv2 multiple scans from same source IP > NOW: CodeRedII (this name is easily mistaken with CRv2, so i would > suppose another name: i stared calling it ida_root since my first > analysis on 5th aug, 7:34 GMT) > this worm alway only infects one host _once_. it checks for double > infection. it could generate the same ip address again in it's PRNG > but the chance this happening is near 0. you would think it should be near 0, but unless im mistaken this should be CR II correct? x.x.x.x - - [06/Aug/2001:09:18:20 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 278 x.x.x.x - - [06/Aug/2001:09:18:23 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:13 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:53 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:57 -0500] <snip> all from the same ip address out of my apache logs. - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO28CPNU0NpnwXzrpEQIHtACg+frXpSxFREhPxHBNZnF//V0J2T0AmQFS XKpEQVXeUUkzmKGcTZ66sL9s =XGwf -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 14:31:01 PDT