Re: New CodeRed strain? -- UPDATE

From: Justin Pryzby (justinpryzbyat_private)
Date: Tue Apr 29 2003 - 15:13:53 PDT

Next message: Mark Embrich: "Re: New attack or old Vulnerability Scanner?"

Previous message: jac: "Re: New attack or old Vulnerability Scanner?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Note that this may simply be a confusion about the word 'packet'.  I
have interpretted said word to mean a single transmission from one host
to another, such that there is a TCP SYN packet, then a TCP SYN,ACK
packet, then a TCP ACK packet.  Correct me if I'm wrong.

> The packet itself appears to be classic CodeRed (II I believe), but
> again, we're getting only the second packet. No TCP 3-way, for first
> packet.

You said 'No TCP 3-way'.  Do you mean that the initial GET is incomplete
because of a TCP-layer problem?  Is there any attempt at all by the
remote host to send it?  Do you maybe have a firewall which is watching
the packets, noticing the first packet is C-R, and then blocking it?

Obviously, the C-R detectors that are out there need to be improved, if
simply sending the first GET..

Justin Pryzby


On Mon, Apr 28, 2003 at 01:13:00PM -0500, Frank Knobbe wrote:
> 
> 
> As I see it did make it to the list, here an update.
> 
> The reason this packet hasn't been tripping the usual signatures is
> simple. We are receiving *only* the second packet. There is no first
> packet with GET /default.ida?XXXX etc.
> 
> The packet itself appears to be classic CodeRed (II I believe), but
> again, we're getting only the second packet. No TCP 3-way, for first
> packet.
> 
> While keeping our eyes on this, the majority appears to be coming from
> China, but we do some domestic (USA), Turkey, and I believe a Brazilian.
> 
> I'm curious if anyone else is seeing these second-packet-only CodeReds.
> 
> Regards,
> Frank
> 
> 
> 
> On Fri, 2003-04-25 at 13:55, Frank Knobbe wrote:
...
> 
> << This is a digitally signed message part >> 
> 
> Attached Files:
> https://www.msweb.gettysburg.edu/exchange/pryzju01/Inbox/Re:%20New%20CodeRed%20strain_x003F_%20--%20UPDATE.EML/1_multipart/2_signature.asc

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Next message: Mark Embrich: "Re: New attack or old Vulnerability Scanner?"
Previous message: jac: "Re: New attack or old Vulnerability Scanner?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 15:37:33 PDT