RE: New CodeRed strain? -- UPDATE

From: larosa, vjay <larosa_vjay(at)emc.com>
Date: Tue Apr 29 2003 - 22:38:03 EDT

AHA! I reported this about a month ago and everyone thought I was crazy! I have all sorts of packet captures of this kind of activity. There are cmd.exe attempts, root.exe attempts, and the classic default.ida?X and default.ida?N attempts, but no TCP three way handshake. It is very strange. Theses attempts are destined to IP addresses that are not even up and running, never mind they are all fire walled off from the outside. We should compare notes. If you want to you can contact me off the list.

vjl

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe@knobbeits.com] Sent: Monday, April 28, 2003 1:13 PM
To: incidents@securityfocus.com
Subject: Re: New CodeRed strain? -- UPDATE

As I see it did make it to the list, here an update.

The reason this packet hasn't been tripping the usual signatures is simple. We are receiving *only* the second packet. There is no first packet with GET /default.ida?XXXX etc.

The packet itself appears to be classic CodeRed (II I believe), but again, we're getting only the second packet. No TCP 3-way, for first packet.

While keeping our eyes on this, the majority appears to be coming from China, but we do some domestic (USA), Turkey, and I believe a Brazilian.

I'm curious if anyone else is seeing these second-packet-only CodeReds.

Regards,
Frank

On Fri, 2003-04-25 at 13:55, Frank Knobbe wrote:
> Greetings,

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents

---

Received on Wed Apr 30 13:12:51 2003