Security Incidents mailing list archives

Re: New version of Code Red?

From: sleonard <ssl () ahsc arizona edu>
Date: Tue, 24 Jul 2001 22:47:35 -0700

yep, that's it.  web logs on our apache servers showed a single similar entry on
each of those servers e.g..
+++xx.foo.arizona.edu+++dialup.foo.arizona.edu - - [21/Jul/2001:22:53:37 -0700
] "GET/x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X
HTTP/1.1" 404 1477

 it was just me dialed in from home running the code red scanner on our subnet.
:)

Nick Lehman wrote:

Looks very much like the URL eEye's 'Code Red Scanner' uses to test for
vulnerable machines.

http://www.eeye.com/html/Research/Tools/codered.html

Nick

-----Original Message-----
From: Dean Cunningham [mailto:Dean.Cunningham () ew govt nz]
Sent: Wednesday, 25 July 2001 7:32 AM
To: 'incidents () securityfocus com'
Subject: New version of Code Red?

A FYI, I have yet to see anything in my logs.

cheers
Dean

-----Original Message-----
From: MVick () mail uttyl edu [mailto:MVick () mail uttyl edu]
Sent: Wednesday, 25 July 2001 8:44 AM
To: NT System Admin Issues
Subject: New version of Code Red?

Computer at 172.158.225.228 does the 80 GET /x.ida, followed by AAA...
instead of NNN...
Then comes back 25 minutes later with 80 GET /iisstart.asp and 80 GET
/pagerror.gif

2001-07-23 11:05:32 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /x.ida
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X

200 -

2001-07-23 11:30:06 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET
/iisstart.asp
- 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)

2001-07-23 11:30:08 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET
/pagerror.gif
- 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)

And nslookup reports....

C:\>nslookup 172.158.255.228
Server:  xxxx.xxxxx.xxx
Address:  xxx.xxx.xxx.xxx

Name:    AC9EFFE4.ipt.aol.com
Address:  172.158.255.228

Michael Vick

***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New version of Code Red? Dean Cunningham (Jul 24)
- Re: New version of Code Red? Jim Forster (Jul 24)
- RE: New version of Code Red? Nick Lehman (Jul 24)
  - Re: New version of Code Red? sleonard (Jul 25)