Sent this last night, but it didn't make it through - moderated due to
IP addresses?
Chris Freeze wrote:
> On Sun, 5 Aug 2001, John Davidson wrote:
>
> > My W2k IIS logs show 3 CRv2 scans from the same source IP within the same
> > minute.
>
> Here everytime I get scanned, my Apache logs are showing a double hit.
> Snort is also logging the two back-to-back attempts.
> ...
I wrote a little script to summarize the hits on my system by IP.
Here's an
extract:
1.a.a.7
06/Aug/2001 06:54:50
06/Aug/2001 06:54:50
...
1.b.b.4
06/Aug/2001 15:00:37
06/Aug/2001 15:00:37
06/Aug/2001 15:42:52
06/Aug/2001 15:42:52
06/Aug/2001 16:48:33
06/Aug/2001 16:48:33
...
1.c.c.5
06/Aug/2001 19:52:31
06/Aug/2001 19:52:31
...
TOTAL:
312 scans
112 unique hosts
Every scan (regardless of whether it's from my class A or not)
consists of two probes. I am getting multiple scans from each system,
often quite a ways apart. None of the requests are missing anything -
they are all the right size.
"Ben N. Venzke" wrote:
> ...
> If CodeRedII can only infect Windows 2000 boxes running IIS, why all
> of the CodeRedII infection attempts from what appear to be DSL, cable
> modem and dial-up boxes?
>
> I could see running a small server on a DSL line but are there really
> that many people running IIS on a 56k dial-up.
I thought that myself, but my brief investigations have shown
otherwise. I am
a dialup modem user on a major Australian ISP. My system is getting a
lot more
hits than i would have expected considering my bandwidth and nearly
all of them
are from my own ISP (as expected). However, these machines do indeed
seem to
be running IIS - probably the default install.
Here's what i got when i looked at the web server on one of the
systems that
probed me:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 06 Aug 2001 09:29:07 GMT
Connection: Keep-Alive
Content-Length: 1270
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQGQGQHJC=LJAFGGCDOKEPBGGPBDDPBGLF; path=/
Cache-control: private
<!--
WARNING!
Please do not alter this file. It may be replaced if you
upgrade your
web server
If you want to use it as a template, we recommend renaming it,
and
modifying the new file.
Thanks.
-->
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" Content="text-html;
charset=Windows-1252">
<title id=titletext>Under Construction</title>
</HEAD>
<body bgcolor=white>
<TABLE>
<TR>
<td id="tableProps" width=70 valign=top align=center>
<IMG id="pagerrorImg" SRC="pagerror.gif" width=36 height=48>
<TD id="tablePropsWidth" width=400>
<h1 id=errortype style="font:14pt/16pt verdana;
color:#4e4e4e">
<id id="Comment1"><!--Problem--></id><id id="errorText">Under
Construction</id></h1>
<id id="Comment2"><!--Probable causes:<--></id><id
id="errordesc"><font
style="font:9pt/12pt verdana; color:black">
The site you were trying to reach does not currently have a
default
page. It may be in the process of being upgraded.
</id>
<br><br>
<hr size=1 color="blue">
<br>
<ID id=term1>
Please try this site again later. If you still experience the
problem,
try contacting the Web site administrator.
</ID>
<P>
</ul>
<BR>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>
To my untrained eye, this looks like it might be a default root page
that IIS
installs. It seems that every man and his dog with Win2K on their
home PC are
joining in the fun.
Paul
http://paulgear.webhop.net
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 14:33:16 PDT