Some people have written scripts that do the actions you describe and have installed them on various boxes. I have a copy of one of the perl based versions. The version I have sends out a command to shutdown the probing windows box. Slashdot has an atricle that links to one of the tools. http://slashdot.org/article.pl?sid=01/08/11/1420207 Warning if you follow the below link and you are accessing it from a CodeRed II infected, but not cleaned up IIS web server it will shut the box down. http://www.dasbistro.com/default.ida If you get through to the link you can get at the tarball of the code. "Lindley, Patrick@HHSDC" wrote: > > Anybody know of a similar problem? Is this Code Red or something else? Does > anybody know WHY this would happen? > > For the past 13 days we have been experiencing an unusual occurrence. Every > time a particular patched NT 4.0 server of ours running IIS 4 is probed by a > Code Red infected system, our server immediately responds back to the prober > by attempting to exploit the vulnerability on that system. > > Example: 158.42.25.98 sends the "/default.ida?" string followed by the "X" > or "N" string (depending on the Code Red version) and our system immediately > sends back the corresponding hack such as the HTML used in Code Red (Hacked > By Chinese!) or attempts to execute or drop D:EXPLORER.EXE on the attacking > system. > > Our IDS logs and HTTP logs confirm these events. Our system in question does > not react as if it is infected with Code Red (i.e. continuously probing > other IP addresses) and as a matter of fact we have confirmed the MS patch > installation, run Trend Micro Systems anti-virus software on it, rebooted > it, and manually scanned for the tell-tale signs of Code Red infection. It > only sends out this Code Red-like activity when it is probed. > > I've included a copy of one entry from our IDS below. Inbound port was 80 > and outbound port was 2913. Context incoming is the data that was sent to us > (for instance from 158.42.25.98) and context outgoing is what our server > sent back. > > Ports: 80 -> 2913 > Context Match: [/]default[.]ida[?][a-zA-Z0-9]+%u > Context Incoming: > ://***.***.***.***/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXX%u > > Context Outgoing: > \FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\ > FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\F > C\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC > \FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\FC\00\00\00\ > 00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00^\BF\B9\05\00\00j\07\E8 > \10\00\00\00d: > > explorer.exe\00\8B\04 > $\88\18\FFU\CC\83\F8\FFtM\89\85L\FE\FF\FF\AC\8A\F88>u'j > \E8#\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 > \00\00\00\00\00\00\00\00\00\00\00j\01V\FF\B5L\FE\FF\FF\FFU\C8FOu\C5\FF\B5L\F > E\FF\FF\FFU\C4\FE\C3\80\FBd\0F\86L\F9\FF\FF\C3a\C9\C2\04\00\0 > > =========================== > J. Patrick Lindley > Assistant IT Security Manager > Planning & Consulting Division > 1651 Alhambra Blvd. > Sacramento, CA 95816 > 916-739-7976 > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- | Bryan Andersen | bryanat_private | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 11:23:24 PDT