Sent this last night, but it didn't make it through - moderated due to IP addresses? Chris Freeze wrote: > On Sun, 5 Aug 2001, John Davidson wrote: > > > My W2k IIS logs show 3 CRv2 scans from the same source IP within the same > > minute. > > Here everytime I get scanned, my Apache logs are showing a double hit. > Snort is also logging the two back-to-back attempts. > ... I wrote a little script to summarize the hits on my system by IP. Here's an extract: 1.a.a.7 06/Aug/2001 06:54:50 06/Aug/2001 06:54:50 ... 1.b.b.4 06/Aug/2001 15:00:37 06/Aug/2001 15:00:37 06/Aug/2001 15:42:52 06/Aug/2001 15:42:52 06/Aug/2001 16:48:33 06/Aug/2001 16:48:33 ... 1.c.c.5 06/Aug/2001 19:52:31 06/Aug/2001 19:52:31 ... TOTAL: 312 scans 112 unique hosts Every scan (regardless of whether it's from my class A or not) consists of two probes. I am getting multiple scans from each system, often quite a ways apart. None of the requests are missing anything - they are all the right size. "Ben N. Venzke" wrote: > ... > If CodeRedII can only infect Windows 2000 boxes running IIS, why all > of the CodeRedII infection attempts from what appear to be DSL, cable > modem and dial-up boxes? > > I could see running a small server on a DSL line but are there really > that many people running IIS on a 56k dial-up. I thought that myself, but my brief investigations have shown otherwise. I am a dialup modem user on a major Australian ISP. My system is getting a lot more hits than i would have expected considering my bandwidth and nearly all of them are from my own ISP (as expected). However, these machines do indeed seem to be running IIS - probably the default install. Here's what i got when i looked at the web server on one of the systems that probed me: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 06 Aug 2001 09:29:07 GMT Connection: Keep-Alive Content-Length: 1270 Content-Type: text/html Set-Cookie: ASPSESSIONIDQGQGQHJC=LJAFGGCDOKEPBGGPBDDPBGLF; path=/ Cache-control: private <!-- WARNING! Please do not alter this file. It may be replaced if you upgrade your web server If you want to use it as a template, we recommend renaming it, and modifying the new file. Thanks. --> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" Content="text-html; charset=Windows-1252"> <title id=titletext>Under Construction</title> </HEAD> <body bgcolor=white> <TABLE> <TR> <td id="tableProps" width=70 valign=top align=center> <IMG id="pagerrorImg" SRC="pagerror.gif" width=36 height=48> <TD id="tablePropsWidth" width=400> <h1 id=errortype style="font:14pt/16pt verdana; color:#4e4e4e"> <id id="Comment1"><!--Problem--></id><id id="errorText">Under Construction</id></h1> <id id="Comment2"><!--Probable causes:<--></id><id id="errordesc"><font style="font:9pt/12pt verdana; color:black"> The site you were trying to reach does not currently have a default page. It may be in the process of being upgraded. </id> <br><br> <hr size=1 color="blue"> <br> <ID id=term1> Please try this site again later. If you still experience the problem, try contacting the Web site administrator. </ID> <P> </ul> <BR> </TD> </TR> </TABLE> </BODY> </HTML> To my untrained eye, this looks like it might be a default root page that IIS installs. It seems that every man and his dog with Win2K on their home PC are joining in the fun. Paul http://paulgear.webhop.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 14:33:16 PDT