Re: Code Red(s) being confused with sadmind/IIS worm?

From: ghandiat_private
Date: Thu Aug 09 2001 - 17:28:14 PDT

Next message: Rocky Jenkins: "Re: DHCP, ARP, oh my Anyone know of an exploit that dupes ARP o"

Previous message: John Davidson: "CodeRed II Mutants"
In reply to: Stephen W. Thompson: "Code Red(s) being confused with sadmind/IIS worm?"
Next in thread: Paul L Schmehl: "Re: [unisog] Code Red(s) being confused with sadmind/IIS worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have found the same thing. We realized yesterday afternoon that a rogue
laptop on our network was running a out of the box 2k install. It had been
infected with code red II. It didn't take us long however to discover that
it also had been hit with the sadmind/IIS worm much earlier and had gone
unnoticed.

Out of curiosity we scanned several other 2k machines on our network and
found the same thing, sadmind/IIS. So yes, sadmind/IIS is much more
prevalent than we realize. Those who have code red probably should check
for sadmind/IIS as well.

Best,
Patrick Stokes

On Thu, 9 Aug 2001, Stephen W. Thompson wrote:

> Follow my line of thinking here.
>
> In many cases, we're getting reports of Code Red for machines that are
> not running Win2k -- Win9x or a unix variant.  We jump to the
> conclusion that the reports were in error.
>
> However, lots of the reports are not coming from signature-checking
> sources (e.g., IDS), but rather are simply seen to be hitting port
> 80/tcp on a machine that isn't a (perhaps public) webserver.
>
> So are a lot of the reports simply a distraction?  I don't think so.
> I've noticed we have a good amount of the sadmind/IIS worm presence on
> our network.  (See http://www.cert.org/advisories/CA-2001-11.html for
> one writeup.)  Recall that this is the worm that hits Solaris boxes
> with a sadmind buffer overflow, and then those machines go after IIS
> with a Unicode directory traversal vulnerability.
>
> If I'm correct, that implies a) sadmind/IIS is more prevalent than
> we'd realized and, possibly b) that there might be a variant of
> sadmind/IIS that succeeds on non-Solaris machines unlike the original
> variant.  Any corroboration on (b) from anyone?
>
> En paz,
> Steve, (tired) security analyst
> --
> Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
> thompsonat_private    URL=http://pobox.upenn.edu/~thompson/index.html
>   For security matters, use securityat_private, read by InfoSec staff
>   The only safe choice: Write e-mail as if it's public.  Cuz it could be.
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rocky Jenkins: "Re: DHCP, ARP, oh my Anyone know of an exploit that dupes ARP o"
Previous message: John Davidson: "CodeRed II Mutants"
In reply to: Stephen W. Thompson: "Code Red(s) being confused with sadmind/IIS worm?"
Next in thread: Paul L Schmehl: "Re: [unisog] Code Red(s) being confused with sadmind/IIS worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:25:24 PDT