Re: Appeal for Help. NOT Code Red But Is It?

From: Bryan Andersen (bryanat_private)
Date: Mon Aug 13 2001 - 22:57:47 PDT

Next message: Krull, Chris: "RE: MSIIS servers patched/de-doored, but C and D keep coming back"

Previous message: Chris Curtiss: "Scripted CodeRed2 reply"
In reply to: Lindley, Patrick@HHSDC: "Appeal for Help. NOT Code Red But Is It?"
Next in thread: Ryan Russell: "Re: Appeal for Help. NOT Code Red But Is It?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Some people have written scripts that do the actions you 
describe and have installed them on various boxes.  I have 
a copy of one of the perl based versions.  The version I 
have sends out a command to shutdown the probing windows 
box.

Slashdot has an atricle that links to one of the tools.
    http://slashdot.org/article.pl?sid=01/08/11/1420207

Warning if you follow the below link and you are accessing it 
from a CodeRed II infected, but not cleaned up IIS web server 
it will shut the box down.
    http://www.dasbistro.com/default.ida
If you get through to the link you can get at the tarball of
the code.


"Lindley, Patrick@HHSDC" wrote:
> 
> Anybody know of a similar problem? Is this Code Red or something else? Does
> anybody know WHY this would happen?
> 
> For the past 13 days we have been experiencing an unusual occurrence.  Every
> time a particular patched NT 4.0 server of ours running IIS 4 is probed by a
> Code Red infected system, our server immediately responds back to the prober
> by attempting to exploit the vulnerability on that system.
> 
> Example:  158.42.25.98 sends the "/default.ida?" string followed by the "X"
> or "N" string (depending on the Code Red version) and our system immediately
> sends back the corresponding hack such as the HTML used in Code Red (Hacked
> By Chinese!) or attempts to execute or drop D:EXPLORER.EXE on the attacking
> system.
> 
> Our IDS logs and HTTP logs confirm these events. Our system in question does
> not react as if it is infected with Code Red (i.e. continuously probing
> other IP addresses) and as a matter of fact we have confirmed the MS patch
> installation, run Trend Micro Systems anti-virus software on it, rebooted
> it, and manually scanned for the tell-tale signs of Code Red infection.  It
> only sends out this Code Red-like activity when it is probed.
> 
> I've included a copy of one entry from our IDS below.  Inbound port was 80
> and outbound port was 2913. Context incoming is the data that was sent to us
> (for instance from 158.42.25.98) and context outgoing is what our server
> sent back.
> 
>            Ports: 80 -> 2913
>    Context Match: [/]default[.]ida[?][a-zA-Z0-9]+%u
> Context Incoming:
> ://***.***.***.***/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXX%u
> 
> Context Outgoing:
> \FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\
> FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\F
> C\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC
> \FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\00\00\00\
> 00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00^\BF\B9\05\00\00j\07\E8
> \10\00\00\00d:
> 
> explorer.exe\00\8B\04
> $\88\18\FFU\CC\83\F8\FFtM\89\85L\FE\FF\FF\AC\8A\F88>u'j
> \E8#\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
> \00\00\00\00\00\00\00\00\00\00\00j\01V\FF\B5L\FE\FF\FF\FFU\C8FOu\C5\FF\B5L\F
> E\FF\FF\FFU\C4\FE\C3\80\FBd\0F\86L\F9\FF\FF\C3a\C9\C2\04\00\0
> 
> ===========================
> J. Patrick Lindley
> Assistant IT Security Manager
> Planning & Consulting Division
> 1651 Alhambra Blvd.
> Sacramento, CA 95816
> 916-739-7976
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
|  Bryan Andersen   |   bryanat_private   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Krull, Chris: "RE: MSIIS servers patched/de-doored, but C and D keep coming back"
Previous message: Chris Curtiss: "Scripted CodeRed2 reply"
In reply to: Lindley, Patrick@HHSDC: "Appeal for Help. NOT Code Red But Is It?"
Next in thread: Ryan Russell: "Re: Appeal for Help. NOT Code Red But Is It?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 11:23:24 PDT