CodeRed from non-IIS machines???

[Tom Kyle <tom () eos umsl edu>]

I've been learning Snort on the fly attempting to track down
CodeRed-infected machines here at my university.  Unfortunately, we have
many partially-administered IIS servers on the network.  Fortunately,
that number is dropping as a result of CodeRed and CodeRed II.

I started seeing some very odd things since getting 1.8.1-beta6 up and
running on Solaris8 / Ultra5 last night.  What I'm seeing is several
machines that are NOT Win2k boxes OR running IIS being the sources of
CodeRed I-style overflows.  All IP's seem to be NT4.0 or 98 boxes, some
of them locked-down lab workstation.  The destination addresses are
rather odd, as well, being rather popular surfing destinations, such as
cgi.ebay.com, aolmail.aol.com, www.law8.hotmail.com, and our ISP's
akamaitech cache, not random, off-the-wall hits and misses like I
expected.  

I was able to get a peek at one of the machines this morning, and did
not find anything unusual, although Explorer seemed rather willing to
segfault rather frequently.  Coming from a UNIX background, I wasn't
exactly sure where to look for anything nasty, and I was also perplexed
as this was a lab machine that are pretty neatly locked down (AFAIK).

Has anyone else found anything similar?


TIA,

Tom

-- 

Thomas A. Kyle
Network Security Administrator
University of Missouri-St. Louis
tkyle () jinx umsl edu
(314) 516-6012

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users