Security Incidents mailing list archives
Re: Someone looking for CodeRed infected boxes ?
From: "Joao Gouveia" <jgouveia () accao net>
Date: Fri, 28 Jun 2002 16:52:47 +0100
Hi, It would, very obviously, be a transparent proxy. But, the weird thing here, is that the request has a valid host header, unlike nimda/code red. JG ----- Original Message ----- From: "Cliff Albert" <cliff () oisec net> To: "Maxime Ducharme" <maxime () pandore-design com> Cc: <incidents () securityfocus com> Sent: Thursday, June 27, 2002 7:20 AM Subject: Re: Someone looking for CodeRed infected boxes ?
On Wed, Jun 26, 2002 at 10:18:36AM -0400, Maxime Ducharme wrote:2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 2526 206 0 HTTP/1.1 65.94.25.135 - - - 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 209 0
HTTP/1.1
65.94.25.135 - - - Sent packet show : GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ HTTP/1.1 Host: 65.94.25.135 Connection: keep-alive Accept: */* X-Forwarded-For: 212.179.220.111 Via: 1.1 proxy2 (NetCache NetApp/5.2.1R1D3) The proxy is relaying itself ? not much sense The worm generated header on-the-fly ?The NetCache proxyserver is a Hardware-base proxyserver from NetApp which usually runs in transparent mode. Thus also proxying nimda/codered runs. -- Cliff Albert | RIPE: CA3348-RIPE | http://oisec.net/ cliff () oisec net | 6BONE: CA2-6BONE | --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Someone looking for CodeRed infected boxes ? Maxime Ducharme (Jun 26)
- Re: Someone looking for CodeRed infected boxes ? Cliff Albert (Jun 27)
- Re: Someone looking for CodeRed infected boxes ? Joao Gouveia (Jun 28)
- Re: Someone looking for CodeRed infected boxes ? Maxime Ducharme (Jun 28)
- Re: Someone looking for CodeRed infected boxes ? Joao Gouveia (Jun 28)
- Re: Someone looking for CodeRed infected boxes ? Cliff Albert (Jun 27)