Re: CRv3?? [was RE: Code Red Rule?]

[Mike Baptiste <baptiste () cc-concepts com>]

Yeah I got a few replies already - whoops - I try to keep up with all the lists 
and must have missed that thread :(  I had wondered about the lack of any 
noticable payload beyond the X, but had trouble finding any info on the 
signature/request.  Guess I didn't look hard enough :)

What I find interesting is I'm getting scanned from completely different 
networks than mine - which begs the question - are they good samaritans or are 
they from folks looking for new hosts to 'seed'  I've gotten hit from hosts in 
and outside the US and they only started around 5PM - haven't seen any before 
that.  Its also strange that each host probes twice a couple minutes apart 
unless that's how the Eeye program works (I haven't run it - no IIS here)

I guess it could be folks trying to find and alert anyone with a vulnerable 
host, but for the probes to appear 3 hours before the next infection window is, 
well, interesting.

Here's hoping for a dull evening. :)

Mike

Quoting "Douglas R. Wilson" <dougw () capu net>:

> This is the signature of the eEye tool to scan for Code Red
> vulnerabilities.
> A lot of sysadmins are using it in preparation for this evenings next
> "outbreak" to see if there are still vulnerable systems on their
> networks.
>
> http://www.eeye.com/html/Research/Tools/codered.html
>
> please note that it uses a different character for the overflow
> character,
> and there is no payload to be delivered after the buffer overflow. The
> scanner just checks the response that the server gives to see whether
> the
> vulnerability exists or not.
>
> doug
>
> --
>
> ===========================================
> Douglas R. Wilson | dougw () capu net
> Systems Administrator
> CapuNet, LLC - Corporate Internet Solutions
> ===========================================
>
>
>
> ----- Original Message -----
> From: "Mike Baptiste" <baptiste () cc-concepts com>
> To: <berjo () ozemail com au>; "John Berkers" <berjo () ozemail com au>
> Cc: "Snort Users List (E-mail)" <snort-users () lists sourceforge net>
> Sent: Tuesday, July 31, 2001 6:54 PM
> Subject: CRv3?? [was RE: [Snort-users] Code Red Rule?]
>
>
> > Removing the 'default' was a good idea.  I'm not sure if these are
> Code
> Red v3
> > or some other probe tool, but since 5PM today my web servers have been
> probed
> > about 10 times and the probe is NOT the same as CRv2:
> >
> > 136.176.193.[some#] - - [31/Jul/2001:16:57:45 -0400] "GET /x.ida?
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA
> >
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X
> HTTP/1.1"
> 404
> > 280 "-" "-"
> >
> > [somehost].bradley.edu - - [31/Jul/2001:17:09:40 -0400] "GET /x.ida?
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA
> >
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X
> HTTP/1.1"
> 404
> > 211 "-" "-"
> >
> > Each of my servers gets probed twice by the same infected host, about
> 2
> minutes
> > apart.
> >
> > Just thought I'd pass on the info - this may be something else
> entirely -
> I
> > tried searching for this signature and came up empty but the various
> security
> > sites are a bit slow tonight (no surprise) and the searches didn't
> always
> work.
> > We'll see how it goes!
> >
> > Mike
> >
> >
> > Quoting John Berkers <berjo () ozemail com au>:
> >
> > > For Snort 1.7 I would suggest content:".ida?";nocase , for snort 1.8
> > > uricontent:".ida?";nocase
> > >
> > > Removing the /default portion of the content makes the signature
> more
> > > generic, since in theory the ida overflow could be done via
> index.ida as
> > > well.  The ? reduces the number of false alerts as the ? is required
> to
> > > produce the overflow.  Finally, the nocase removes any case
> sensitivity
> > > the
> > > rule would otherwise have, which Windows doesn't.  It might also be
> > > worthwhile to add a dsize: >239; flags A+ as per both Snort and
> > > Whitehats
> > > rules to further reduce false positives.
> > >
> > > The rule already exists in web-iis.rules from snort CVS since 19
> June,
> > > and
> > > also in Whitehats vision17.rules and vision18.rules from around the
> same
> > > time.
> > >
> > > Lets hope all the preparation has paid off!
> > >
> > > Regards,
> > >
> > > John Berkers
> > > berjo () ozemail com au
> > >
> > >
> > > -----Original Message-----
> > > From: snort-users-admin () lists sourceforge net
> > > [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Richard
> > > Parker
> > > Sent: Tuesday, 31 July 2001 4:57
> > > To: Snort-users () lists sourceforge net
> > > Subject: [Snort-users] Code Red Rule?
> > >
> > >
> > > Hi,
> > >
> > > I'm relatively new to snort, could someone comment on this rule for
> > > catching Code Red?
> > >
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Code Red
> default.ida
> > > attempt"; flags:PA; content:"GET /default.ida"; nocase;)
> > >
> > > Is that right?
> > >
> > > TIA
> > >
> > > Rich
> > >
> > > --
> > > Richard Parker, Expressive Limited
> > >
> > > -> bash luser
> > > With what? Your bare hands?
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users