Snort mailing list archives
RE: CodeRed Observations.
From: "John York" <YorkJ () brcc edu>
Date: Wed, 12 Mar 2003 15:12:37 -0500
The main difference I'm seeing is that the new CodeRed's send just a few attempts to my web servers (cmd.exe, ida, etc) instead of pounding them with a hundred or so like they did before. John York Network Engineer Blue Ridge Community College P.O. Box 80/One College Lane Weyers Cave, VA 24486 540.453.2255
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of larosa, vjay Sent: Wednesday, March 12, 2003 12:04 PM To: 'intrusions () incidents org' Cc: 'snort-users () lists sourceforge net'; 'focus-ids () securityfocus com' Subject: [Snort-users] CodeRed Observations. Hello, I have been watching this recent spike in CodeRed activity and one
thing I
am noticing is the lack of TCP session establishment. I am seeing common get
strings
like this showing up at my firewalls without ever establishing a TCP three way
handshake. I
have seen several hundred packets with in the last two days similar to this at my
firewalls.
47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
Snip-------------------------------------------------------------------- --
-- ---------------------------------------------------- I find it awfully strange that there is no handshake (not even a
single
SYN to try and establish a session) but these packets show up anyway. I also am not seeing an increase of port 80 scans in my firewall logs or with any of my IDS sensors. Is anybody
else
out there seeing the same things we are? Thanks! vjl V.Jay LaRosa EMC Corporation Information Security 4400 Computer Dr. (508)898-7433 office Westboro, MA 01580 (508)353-1348 cell www.emc.com 888-799-9750 pager larosa_vjay () emc com
------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- CodeRed Observations. larosa, vjay (Mar 12)
- <Possible follow-ups>
- RE: CodeRed Observations. John York (Mar 12)
- RE: CodeRed Observations. larosa, vjay (Mar 12)
- RE: CodeRed Observations. John York (Mar 13)