Re: Code red variants?

From: Matthew Collins (Matthew.Collinsat_private)
Date: Thu Sep 06 2001 - 02:49:20 PDT

  • Next message: Korkmaz, Murat: "RE: Code red variants?" 

    I've seen this as well. I noticed it because the alert was occuring on IP addresses in our range that are not currently in use. There was nothing there to complete the handshake. Not sure what could be causing it.

>>> Russell Fulton <r.fultonat_private> 06/09/01 00:14:18 >>>
Snort logged a bunch of somewhat anomolous packets.  At first glance 
they appear to be standard cmd.exe packets from code red.

[**] WEB-IIS cmd.exe access [**]
09/06-07:10:23.613276 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x5EA
130.67.240.225:1450 -> 130.216.223.150:80 TCP TTL:101 TOS:0x0 ID:24351 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE68E61F7  Ack: 0xE5C99396  Win: 0x2238  TcpLen: 20
00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43  ..u..U..E......C
6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55  loseHandle..u..U
F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74  ..E......_lcreat
00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F  ..u..U..E......_
6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8  lwrite..u..U..E.
E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC  ....._lclose..u.
FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79  .U..E......GetSy
73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89  stemTime..u..U..
45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C  E......WS2_32.DL

[ snip ]

however what puzzeled me is that the destination (130.216.223.150) is
firewalled.  I then looked at the argus logs:

06 Sep 01 07:10:23           tcp  130.67.240.225.1450   ?>   130.216.223.150.80    1        1         1460         0           A_RPA

Which shows a single incoming packet with ACK set and payload.

This suggests that the source is simply firing out packets without
waiting for the handshake to complete.  This is not standard code red
behaviour otherwise snort would be logging far more code red alerts.

Also there was no ida alert for this address.

I then used argus do dump all traffic from 130.67/16 (online.no) and found
that there is a steady trickle of such packets.

06 Sep 01 00:02:34    tcp  130.67.216.237.3339   ?>    130.216.246.91.80    1        0         1460         0           A_
06 Sep 01 00:04:27    tcp  130.67.216.237.3955   ?>   130.216.145.172.80    2        0         2920         0           A_
06 Sep 01 00:06:58    tcp  130.67.216.237.3339   ?>    130.216.246.91.80    1        0         2920         0           A_
06 Sep 01 00:17:00    tcp   130.67.114.61.2124   ?>   130.216.213.213.80    1        0         1460         0           A_
06 Sep 01 00:58:01    tcp    130.67.10.87.1922   ?>    130.216.78.223.80    1        0         1460         0           A_
06 Sep 01 01:08:47    tcp  130.67.240.131.3281   ?>    130.216.185.75.80    1        1         1460         0           A_R
06 Sep 01 01:23:10    tcp   130.67.58.251.3371   ?>   130.216.187.210.80    1        0         1460         0           A_
06 Sep 01 01:28:38    tcp  130.67.118.172.4396   ?>    130.216.149.34.80    2        0         2920         0           A_
06 Sep 01 01:28:59    tcp   130.67.229.89.2904   ?>     130.216.51.74.80    1        0         1460         0           A_
06 Sep 01 01:33:50    tcp  130.67.118.172.3032   ?>     130.216.72.91.80    1        0         1460         0           A_

This explains one thing: I had noticed that the snort cmd.exe count
was consistantly higher than the .ida count but I could not find any
packets other than appearantly ordinary code red ones.

For comparision I dumped all traffic for another 130/8 which I know
has a whole bunch of code red compromised machine and saw none of the
bare ACK packets.

Any idea what is going on?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com 




****************************************************************************************
This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use 
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, arrive late or contain 
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay 
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 08:34:18 PDT