Re: new codered worm?

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Thu Aug 30 2001 - 13:39:35 PDT

Next message: John Kinsella: "Re: Resurgence of DNS scanning activity"

Previous message: Jose Nazario: "Re: Strange entries in Apache access_log"
In reply to: ^^ sang sang: "new codered worm?"
Next in thread: Ryan Russell: "Re: new codered worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"^^ sang sang" <gauri2007at_private> wrote:

> uI got code red worm, which seems like new mutation. I am not sure whether 
> it is new one. So please explain about that if you have any idea.

This is not a "new CodeRed"...

> I found logs like below
> 
> 1.	traced for ip address
> 2.	checked root.exe, which used to back door in previous code red worm
> 3.	/x.ida VVVVVVVVVVVVV  as new attack pattern
> 4.	This server is one that was contagious in previous code red attack, and 
> it was already shut down. Accordingly, the attack was failed (Normally, IIS 
> may stop when ida buffer overflow is failed) 
> 
> Also, it has log on print buffer overflow and it seems like being included 
> in an automated script 
> 
> This is log 
> 
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X GET /scripts/root.exe 
> /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X>.X 80 GET 
> /c/winnt/system32/cmd.exe /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X 80 GET 
> /d/winnt/system32/cmd.exe /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X 80 GET /msadc/root.exe 
> /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X 80 GET 
> /c/inetpub/scripts/root.exe /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X80 GET 
> /d/inetpub/scripts/cmd.exe /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X 80 GET /x.ida 
> VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV> 200 -

Someone is probing your box for the .ida/.idq vulnerability and the 
"leftovers" of an improperly cleaned-up Codered.C or CodeRed.D 
attack.  Cleaning CodeRed by hand, people are likely to miss the 
root.exe's in msadc and scripts and/or the open /C and /D virtual 
roots.  The first six entries above are probes for those failures.  
The seventh is harder to diagnose from here, because if it was an 
overflow attempt, we'd have to see the full request (with the 
"payload" code that is after the overflow) to know for sure what it 
is supposed to do.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: John Kinsella: "Re: Resurgence of DNS scanning activity"
Previous message: Jose Nazario: "Re: Strange entries in Apache access_log"
In reply to: ^^ sang sang: "new codered worm?"
Next in thread: Ryan Russell: "Re: new codered worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Sep 01 2001 - 10:42:31 PDT