Steve, > In many cases, we're getting reports of Code Red for > machines that are > not running Win2k -- Win9x or a unix variant. We > jump to the > conclusion that the reports were in error. Yes, I've been seeing this in other lists, and on Usenet. Not only have cases been misreported by admins who may or may not be knowledgeable enough to report such things, but folks reporting just about any unusual activity on port 80 in the past 2 wks, regardless of web server (or the absence thereof) have been told by others that it's Code Red. > However, lots of the reports are not coming from > signature-checking > sources (e.g., IDS), but rather are simply seen to > be hitting port > 80/tcp on a machine that isn't a (perhaps public) > webserver. As the Code Red worm scans rather indiscriminantly for hosts to infect, a lot of us are seeing SYN packets to port 80. With no other activity to observe, many may be making the assumption that it's the result of Code Red, and instead of report 200 SYN packets to port 80, they are reporting 200 attempts at Code Red. Many of the SYN packets may not be from infected systems at all, but rather may be folks using the eEye tool (or any of the variants) to look for unpatched system, or systems with root.exe in the /scripts or /msadc directory. But again...many folks (particularly home users with BlackIce or ZA) are seeing the scans and reporting the SYN packets as Code Red. > Any corroboration on (b) from anyone? That would be interesting to see. After all, the IIS exploit used by sadmin/IIS was patched about 7 or so months before the worm came out. There is no reason to assume that there aren't still unpatched servers out there... __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:56:16 PDT