Security Incidents mailing list archives
RE: CRv2 multiple scans from same source IP
From: "Andrew Cruse" <acruse () design-synergy com>
Date: Mon, 6 Aug 2001 16:46:52 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One possibility we seem to be overlooking here is that it's conceivable that we have several servers with RFC 1918 addresses sitting behind a firewall/proxy in some kind of NAT/portforwarding setup, and the IP in the logs is actually the IP address of the firewall. Andrew - -----Original Message----- From: Lee Smith [mailto:lee () booksys com] Sent: Monday, August 06, 2001 3:15 PM To: corecode Cc: jwd_ods () hotmail com; incidents () securityfocus com Subject: Re: CRv2 multiple scans from same source IP
NOW: CodeRedII (this name is easily mistaken with CRv2, so i would suppose another name: i stared calling it ida_root since my first analysis on 5th aug, 7:34 GMT) this worm alway only infects one host _once_. it checks for double infection. it could generate the same ip address again in it's PRNG but the chance this happening is near 0.
you would think it should be near 0, but unless im mistaken this should be CR II correct? x.x.x.x - - [06/Aug/2001:09:18:20 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 278 x.x.x.x - - [06/Aug/2001:09:18:23 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:13 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:53 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:57 -0500] <snip> all from the same ip address out of my apache logs. - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO28CPNU0NpnwXzrpEQIHtACg+frXpSxFREhPxHBNZnF//V0J2T0AmQFS XKpEQVXeUUkzmKGcTZ66sL9s =XGwf -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- CRv2 multiple scans from same source IP John Davidson (Aug 05)
- Re: CRv2 multiple scans from same source IP Luc Pardon (Aug 05)
- Re: CRv2 multiple scans from same source IP Chris Freeze (Aug 05)
- Re: CRv2 multiple scans from same source IP Chris Freeze (Aug 05)
- RE: CRv2 multiple scans from same source IP Gareth Hastings (Aug 06)
- Re: CRv2 multiple scans from same source IP Paul Gear (Aug 06)
- Re: CRv2 multiple scans from same source IP Valdis . Kletnieks (Aug 05)
- RE: CRv2 multiple scans from same source IP robh (Aug 05)
- Re: CRv2 multiple scans from same source IP corecode (Aug 06)
- Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
- RE: CRv2 multiple scans from same source IP Andrew Cruse (Aug 06)
- Re: CRv2 multiple scans from same source IP Ryan Russell (Aug 06)
- Re: CRv2 multiple scans from same source IP Andy Berkheimer (Aug 06)
- Re: CRv2 multiple scans from same source IP corecode (Aug 07)
- Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
- Re: CRv2 multiple scans from same source IP Bryan Andersen (Aug 06)
- Re: CRv2 multiple scans from same source IP Luc Pardon (Aug 05)
- <Possible follow-ups>
- RE: CRv2 multiple scans from same source IP Tim Hollebeek (Aug 06)
- RE: CRv2 multiple scans from same source IP corecode (Aug 06)