Anybody know of a similar problem? Is this Code Red or something else? Does anybody know WHY this would happen? For the past 13 days we have been experiencing an unusual occurrence. Every time a particular patched NT 4.0 server of ours running IIS 4 is probed by a Code Red infected system, our server immediately responds back to the prober by attempting to exploit the vulnerability on that system. Example: 158.42.25.98 sends the "/default.ida?" string followed by the "X" or "N" string (depending on the Code Red version) and our system immediately sends back the corresponding hack such as the HTML used in Code Red (Hacked By Chinese!) or attempts to execute or drop D:EXPLORER.EXE on the attacking system. Our IDS logs and HTTP logs confirm these events. Our system in question does not react as if it is infected with Code Red (i.e. continuously probing other IP addresses) and as a matter of fact we have confirmed the MS patch installation, run Trend Micro Systems anti-virus software on it, rebooted it, and manually scanned for the tell-tale signs of Code Red infection. It only sends out this Code Red-like activity when it is probed. I've included a copy of one entry from our IDS below. Inbound port was 80 and outbound port was 2913. Context incoming is the data that was sent to us (for instance from 158.42.25.98) and context outgoing is what our server sent back. Ports: 80 -> 2913 Context Match: [/]default[.]ida[?][a-zA-Z0-9]+%u Context Incoming: ://***.***.***.***/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX%u Context Outgoing: \FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\ FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\F C\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC \FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\00\00\00\ 00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00^\BF\B9\05\00\00j\07\E8 \10\00\00\00d: explorer.exe\00\8B\04 $\88\18\FFU\CC\83\F8\FFtM\89\85L\FE\FF\FF\AC\8A\F88>u'j \E8#\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 \00\00\00\00\00\00\00\00\00\00\00j\01V\FF\B5L\FE\FF\FF\FFU\C8FOu\C5\FF\B5L\F E\FF\FF\FFU\C4\FE\C3\80\FBd\0F\86L\F9\FF\FF\C3a\C9\C2\04\00\0 =========================== J. Patrick Lindley Assistant IT Security Manager Planning & Consulting Division 1651 Alhambra Blvd. Sacramento, CA 95816 916-739-7976 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 15:10:08 PDT