Bugtraq mailing list archives
RE: 'Code Red' does not seem to be scanning for IIS
From: "Marc Maiffret" <marc () eeye com>
Date: Thu, 19 Jul 2001 22:28:32 -0000
the worm just tries port 80 on ip's. doesnt care if its IIS or not. also as for the ip seed thing... we have heard reports there is a variant worm that is doing truly random IP addresses. We dont have any more info on that though. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities |-----Original Message----- |From: Mike Brockman [mailto:phubuh () home se] |Sent: Thursday, July 19, 2001 9:33 PM |To: bugtraq () securityfocus com |Subject: 'Code Red' does not seem to be scanning for IIS | | |>From what i read about the 'Code Red'-worm, it was supposed to be scanning |for IIS-servers. It obviously is'nt, i believe it tries to infect |everything they find on port 80, or something as simple as that. | |About three to four days ago, i started to get those default.ida-GET's in |my Apache-logs. I shut down the server as fast as i could, and checked for |outgoing connections from my computer, and then did some research. |I was told that it was an IIS-worm, and that it could'nt affect |Apache-servers, so i was safe. I turned the server back on, and from that |day i have received forty-one attempts. | |How can this be? Why am i getting so few attempts, if it is as eEye says |-- that every worm-instance has the same seed? |I should be getting tons and tons of tries, if the worm has been around |for this long. Or is it that my IP is high up in the "sequence", and not |many comes that far? If that is the case, the number should be increasing |fast in the near future, right? | |I'll come back with a report in a week or so. | |________________________________ | m'name be mike brockman! jeeh! |_ooh,_und_dunt_feed_my_eskimoes_ | |
Current thread:
- 'Code Red' does not seem to be scanning for IIS Mike Brockman (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Marc Maiffret (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Emre Yildirim (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Ethan Butterfield (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS daniel uriah clemens (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Ryan Russell (Jul 19)
- <Possible follow-ups>
- RE: 'Code Red' does not seem to be scanning for IIS Kelly Martin (Jul 19)
- Re(2): 'Code Red' does not seem to be scanning for IIS Ken Eichman (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Duncan Hill (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Stephen Cimarelli (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Tony Langdon (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS George William Herbert (Jul 20)
- RE: 'Code Red' does not seem to be scanning for IIS Marc Maiffret (Jul 19)