Security Incidents mailing list archives

Code Red Scans

From: Nicholas Bachmann <nbachmann () mail davison k12 mi us>
Date: Wed, 01 Aug 2001 13:32:59 -0400

Hi-

Today I have received attempts from someone on your network (IP:201.35.181.208) to exploit the "CodeRed" vulnerability that exists in Microsoft IIS. Using the Unix tool"host" I determined that the IP

201.35.181.208 resolves to nwmrb35210.smarttadsl.com as demonstrated:

[root@bachmann <mailto:root@bachmann> /root]# host 208.181.35.210
210.35.181.208.in-addr.arpa. domain name pointer nwmrb35210.smarttadsl.com.

Below are the commands I used to determine that this computer hasattempted to infect my machine.


*Accrding to my Apache logs:*

[root@bachmann <mailto:root@bachmann> /root]# grep ida?/var/log/httpd/access_log208.181.35.210 - - [01/Aug/2001:11:40:04 -0400] "GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=aHTTP/1.0" 400 324

[root@bachmann <mailto:root@bachmann> /root]# grep 208.181.35.210/var/log/httpd/error_log[Wed Aug 1 11:40:03 2001] [error] [client 208.181.35.210] Client sentmalformed Host header


*And from my Firewall logs:*

[root@bachmann <mailto:root@bachmann> /root]# grep SRC=208.181.35.210/var/log/kerninfoAug 1 12:14:24 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=15376 DFPROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0Aug 1 12:14:27 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=15458 DFPROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0Aug 1 12:14:33 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=15645 DFPROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0Aug 1 12:14:45 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=16041 DFPROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0Aug 1 12:15:09 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=16816 DFPROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0Aug 1 12:15:57 bachmann kernel: IN=ppp0 OUT= MAC= SRC=208.181.35.210DST=209.255.91.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=18389 DFPROTO=TCP SPT=80 DPT=1673 WINDOW=17082 RES=0x00 ACK FIN URGP=0


I would appreciate action being taken to correct this matter.

--
                Regards,
                N



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Code Red Scans Nicholas Bachmann (Aug 01)
- <Possible follow-ups>
- code red scans Ed Miles (Aug 01)
- RE: code red scans Ralph Gervolino (Aug 01)