RE: 'Code Red' does not seem to be scanning for IIS

["Marc Maiffret" <marc () eeye com>]

the worm just tries port 80 on ip's. doesnt care if its IIS or not.

also as for the ip seed thing... we have heard reports there is a variant
worm that is doing truly random IP addresses. We dont have any more info on
that though.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

|-----Original Message-----
|From: Mike Brockman [mailto:phubuh () home se]
|Sent: Thursday, July 19, 2001 9:33 PM
|To: bugtraq () securityfocus com
|Subject: 'Code Red' does not seem to be scanning for IIS
|
|
|>From what i read about the 'Code Red'-worm, it was supposed to be scanning
|for IIS-servers. It obviously is'nt, i believe it tries to infect
|everything they find on port 80, or something as simple as that.
|
|About three to four days ago, i started to get those default.ida-GET's in
|my Apache-logs. I shut down the server as fast as i could, and checked for
|outgoing connections from my computer, and then did some research.
|I was told that it was an IIS-worm, and that it could'nt affect
|Apache-servers, so i was safe. I turned the server back on, and from that
|day i have received forty-one attempts.
|
|How can this be? Why am i getting so few attempts, if it is as eEye says
|-- that every worm-instance has the same seed?
|I should be getting tons and tons of tries, if the worm has been around
|for this long. Or is it that my IP is high up in the "sequence", and not
|many comes that far? If that is the case, the number should be increasing
|fast in the near future, right?
|
|I'll come back with a report in a week or so.
|
|________________________________
| m'name be mike brockman! jeeh!
|_ooh,_und_dunt_feed_my_eskimoes_
|
|