Re: Code Red(s) being confused with sadmind/IIS worm?

From: H C (keydet89at_private)
Date: Thu Aug 09 2001 - 16:31:03 PDT

Next message: Todd Ransom: "Re: ACK scan - RESOLUTION"

Previous message: Aviram Jenik: "RE: Looking for a better scanner for CodeRed"
In reply to: Stephen W. Thompson: "Code Red(s) being confused with sadmind/IIS worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Steve,

> In many cases, we're getting reports of Code Red for
> machines that are
> not running Win2k -- Win9x or a unix variant.  We
> jump to the
> conclusion that the reports were in error.

Yes, I've been seeing this in other lists, and on
Usenet.  Not only have cases been misreported by
admins who may or may not be knowledgeable enough to
report such things, but folks reporting just about any
unusual activity on port 80 in the past 2 wks,
regardless of web server (or the absence thereof) have
been told by others that it's Code Red.

> However, lots of the reports are not coming from
> signature-checking
> sources (e.g., IDS), but rather are simply seen to
> be hitting port
> 80/tcp on a machine that isn't a (perhaps public)
> webserver.

As the Code Red worm scans rather indiscriminantly for
hosts to infect, a lot of us are seeing SYN packets to
port 80.  With no other activity to observe, many may
be making the assumption that it's the result of Code
Red, and instead of report 200 SYN packets to port 80,
they are reporting 200 attempts at Code Red.  Many of
the SYN packets may not be from infected systems at
all, but rather may be folks using the eEye tool (or
any of the variants) to look for unpatched system, or
systems with root.exe in the /scripts or /msadc
directory.  

But again...many folks (particularly home users with
BlackIce or ZA) are seeing the scans and reporting the
SYN packets as Code Red.

>  Any corroboration on (b) from anyone?

That would be interesting to see.  After all, the IIS
exploit used by sadmin/IIS was patched about 7 or so
months before the worm came out.  There is no reason
to assume that there aren't still unpatched servers
out there...


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Todd Ransom: "Re: ACK scan - RESOLUTION"
Previous message: Aviram Jenik: "RE: Looking for a better scanner for CodeRed"
In reply to: Stephen W. Thompson: "Code Red(s) being confused with sadmind/IIS worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:56:16 PDT