RE: original code red resurgence...

From: Fulton L. Preston Jr. (fultonat_private)
Date: Tue Oct 16 2001 - 10:51:54 PDT

Next message: Russell Fulton: "fragments of tcp streams containing http attacks"

Previous message: Russell Fulton: "original code red resurgence..."
Maybe in reply to: Russell Fulton: "original code red resurgence..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Been seeing the samething here too along with the lack of an entry in
either my Apache or IIS servers.  Sometimes Snort is reporting it as a
whisker splicing attack.  Further investigation does find that the
remote host is infected.

-----Original Message-----
From: Russell Fulton [mailto:r.fultonat_private] 
Sent: Monday, October 15, 2001 7:39 PM
To: incidentsat_private
Subject: original code red resurgence...

Greetings All,
	      I have been watching the probe rate on port 80 and .ida 
attacks with interest since the shutdown of Code Red II at the 
beginning of the month.

Initially we saw a sharp drop in the number of addresses doing random 
probes to port 80 and an almost complete absence of .ida probes logged 
by snort. Then a very slow increase in .ida probes (the ones padded 
with "NNN").  Over the last few days the .ida probe rate is has risen 
from one or two per day to approximately 1 per hour across our network 
and the overall probe rate has risen from around 1500 different source 
IPs per hour to 1800. 

The original code red is definitely still alive and spreading, abiet 
slowly.

There is one thing that puzzles me: snort (1.8.1) sometimes logs an 
alert for '.ida attempt' but does not log any packet and in some cases 
I have not been able to find the log entries in the web server logs.  
This suggests that something odd is breaking in snort.  I have posted a 
query on the snort_users mailing list but have not had any response.

Any ideas?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Russell Fulton: "fragments of tcp streams containing http attacks"
Previous message: Russell Fulton: "original code red resurgence..."
Maybe in reply to: Russell Fulton: "original code red resurgence..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 16 2001 - 11:21:15 PDT