Bugtraq mailing list archives
Re: 'Code Red' does not seem to be scanning for IIS
From: daniel uriah clemens <dclemens () mail inline com>
Date: Thu, 19 Jul 2001 19:58:04 -0500 (CDT)
In short, it looks like there's two sets of worms out there. One is scanning large contiguous netblocks in an obvious fashion, the other is hunting and pecking about random IP addresses.
Wrong! What is happening is the worm always hits port 80 if it hits port 80 ( regardless if its apache or iis... its port 80 ) it then drops the buffer overflow code on it. I have seen 4800 attacks on 3 class c's so far I am about to hook in a few more sensors all night. The worm attacks a random ip on port 80 if the port is closed you see this: Jul 19 19:04:49 ephesians snort: IDS3/scan_Traceroute TCP: 199.103.224.4:3183 -> 216.84.196.110:80 Jul 19 19:04:49 ephesians snort: IDS3/scan_Traceroute TCP: 199.103.224.4:3183 -> 216.84.196.110:80 If port 80 is open you will then see this: Jul 19 17:59:52 ephesians/216.84.194.200 snort: IDS552/web-iis_IIS ISAPI Overflo w ida: 203.69.169.4:2218 -> 216.84.194.3:80 Jul 19 17:59:52 ephesians/216.84.194.200 snort: IDS552/web-iis_IIS ISAPI Overflow ida: 203.69.169.4:2218 -> 216.84.194.3:80 Also to add this is crashing novell bordermanager servers, cisco ios ( with web administration enabled etc etc... ) Hope this helps someone. -Daniel Uriah Clemens
- -- "A true friend stabs you in the front." - Oscar Wilde -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE7V15N36NTGsm+2Z4RAlnTAJ9VCsZ7riUp3WknpU9q9ny6ynSAtACgzTYc cB7VrZUUKd6HIDmEXu8D6MU= =1leB -----END PGP SIGNATURE-----
Current thread:
- 'Code Red' does not seem to be scanning for IIS Mike Brockman (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Marc Maiffret (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Emre Yildirim (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Ethan Butterfield (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS daniel uriah clemens (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Ryan Russell (Jul 19)
- <Possible follow-ups>
- RE: 'Code Red' does not seem to be scanning for IIS Kelly Martin (Jul 19)
- Re(2): 'Code Red' does not seem to be scanning for IIS Ken Eichman (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Duncan Hill (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Stephen Cimarelli (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Tony Langdon (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS George William Herbert (Jul 20)
- RE: 'Code Red' does not seem to be scanning for IIS Marc Maiffret (Jul 19)