Follow my line of thinking here. In many cases, we're getting reports of Code Red for machines that are not running Win2k -- Win9x or a unix variant. We jump to the conclusion that the reports were in error. However, lots of the reports are not coming from signature-checking sources (e.g., IDS), but rather are simply seen to be hitting port 80/tcp on a machine that isn't a (perhaps public) webserver. So are a lot of the reports simply a distraction? I don't think so. I've noticed we have a good amount of the sadmind/IIS worm presence on our network. (See http://www.cert.org/advisories/CA-2001-11.html for one writeup.) Recall that this is the worm that hits Solaris boxes with a sadmind buffer overflow, and then those machines go after IIS with a Unicode directory traversal vulnerability. If I'm correct, that implies a) sadmind/IIS is more prevalent than we'd realized and, possibly b) that there might be a variant of sadmind/IIS that succeeds on non-Solaris machines unlike the original variant. Any corroboration on (b) from anyone? En paz, Steve, (tired) security analyst -- Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP thompsonat_private URL=http://pobox.upenn.edu/~thompson/index.html For security matters, use securityat_private, read by InfoSec staff The only safe choice: Write e-mail as if it's public. Cuz it could be. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 15:19:15 PDT