Code Red II worm analysis - Security | DSLReports Forums (Page 2)

Author	All Replies
Publius5 join:2001-06-08 Mandeville, LA	reply to Steve Re: Code Red II worm analysis I keep getting this server busy message. I'm going to start probing these hits to see if I can find a common denominator. Page I get: The page cannot be displayed There are too many people accessing the Web site at this time. -------------------------------------------------------------------------------- Please try the following: Click the Refresh button, or try again later. Open the adsl-61-4-56.mia.bellsouth.net home page, and then look for links to the information you want. HTTP 403.9 - Access Forbidden: Too many users are connected Internet Information Services -------------------------------------------------------------------------------- Technical Information (for support personnel) Background: This error can occur if the Web server is busy and cannot process your request due to heavy traffic. More information: Microsoft Support
	to forum · permalink · 2001-08-04 22:08:49 ·
RenHoek You Eeeediot Premium join:2000-10-02 Peyton, CO	reply to Steve It (the server you are trying to access) is probably too busy trying to probe other machines to try to infect. I've seen multiple (8+) attempts from the same machine, so I'm sure it just will sit there and bang away on a range of IP's trying to find a new host to infect. It looks like for whatever reason, this thing even retries IP's at some interval.
	to forum · permalink · 2001-08-04 22:12:17 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	reply to Publius5 said by Publius: I keep getting this server busy message. This is not a surprise, because I think the worm actually disables the server. But some of them have inevitably been rebooted since they hit your logs, so if you go through enough (dozens, perhaps), you may find some that are up. I would start with the older entries in your logs and work to newer. If this sounds tedious, "welcome to the world of security research" Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 22:12:24 ·
Kesh @telia.com	reply to Steve Steve, you've hooked my curiosity I'll have a look at that wormie thing (thank's for posting it btw). My tools: Hackers View (HIEWxxx) DOS on-the-fly disassembly file browser, and W32DASM - code file creator and debugger. Perfect - small and fast - disassembly environment. But due to a disk-crash I'll have to work on a 486. Only machine left with a Win system. This variant is now the main one in my log file. Concluded by the neighbourhood preference...
	to forum · permalink · 2001-08-04 22:16:17 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	said by Kesh: I'll have a look at that wormie thing (thank's for posting it btw). My tools: Hackers View (HIEWxxx) DOS on-the-fly disassembly file browser, and W32DASM - code file creator and debugger. Perfect - small and fast - disassembly environment. Well it's nice to have more eyes on the project besides eEye I'm using Sourcer, which is just a horrid piece of software under NT (limit of 8-char labels, for instance). I'm also hampered by not being very good with the whole world of segment registers. More tidbits for the assembler dudes: there is a chunk of data referenced by DWORD PTR DS:[0FFFFFE58H][EBP] where the hex is replaced by some other offset. I am fuzzy on the addressing (though I know these are ultimately negative numbers), but I've found some correspondences to real variables: 0FFFFFE58H my IP address 0FFFFFE5CH generic 260-byte string buffer 0FFFFFE3CH buffer for SYSTEMTIME 0FFFFFE38H 0 for new infections, 1 for second visits by new worms Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 22:24:48 ·

Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	By the way: if you're going to dig at the assembler, you must have the analysis done by the eEye folks -- it's a fantastic starting point, and I'm pretty sure I'd not have even tried this without their outstanding initial research. The web page is at http://www.eeye.com/html/Research/Advisories/AL20010717.html , but you have to download a ZIP file that has the detailed analysis and disassembler. Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 22:28:03 ·
ArkiMage join:2001-06-30 Kingsport, TN	reply to Kesh I got a total of 114 probes from the first CodeRed. So far I've gotten 160 from this one from 105 distinct IPs. The common thing about the new one appears to be that they're all from 24.x.y.z where my current IP is a 24.159.a.b address. It must just vary the last 3 octets of the IP. Not just from my ISP but rather all other addresses in the same Class A subnet sort of.
	to forum · permalink · 2001-08-04 22:36:15 ·
stev32k Premium join:2000-04-27 Mobile, AL kudos:1	reply to Steve Check out this. Its one of the addresses that probed me today: »cmc3075849-b.toney1.al.home.com/ I would post a screen shoot if I knew how. Its kinda spooky
	to forum · permalink · 2001-08-04 22:36:30 ·
Ryan Premium join:2001-03-03 Quincy, MA	reply to Steve This site will give you a scare! [text was edited by author 2001-08-04 23:07:06]
	to forum · permalink · 2001-08-04 22:37:49 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	reply to stev32k This is an infection of the first version of the worm, and let's just say that it expresses a certain amount of distaste for the US Government. I should note that my "homework assignment" really only applies to people who have actual web logs that show the XXXXX infection attempts. If all you have is firewall logs, you'll waste a lot of time on machines that aren't interesting. Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 22:40:25 ·
smoylan5 join:2000-10-04 Ridgefield Park, NJ	reply to Steve I took a look through IE at several of the IP addresses that the port 80 attacks are coming from, and so far most of them seem to be running IIS. On some of the sites my Norton informed me that the web site was infected with the sandmind.backdoor.dr worm and when the web site came up, all it said was **** USA Government.
	to forum · permalink · 2001-08-04 22:44:59 ·
stev32k Premium join:2000-04-27 Mobile, AL kudos:1	reply to Steve I apologize for wasting your precious time. I promise it won't happen again. btw; be careful not to trip over your ego.
	to forum · permalink · 2001-08-04 22:46:46 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	reply to Ryan said by POOoOoOPs: WHAT IS THAT I JUST GOT LIKE 50 VIRUS. OMG OMG OMG OMG OMG GET RID OF THAT LINK YOU SHOULDA WARNED ME GOD No no no, you're fine -- your virus scanner is confused (McAfee?). The web site you visited is infected, but you are not. Really. Trust us. Relax. Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 22:47:05 ·
Ryan Premium join:2001-03-03 Quincy, MA	reply to Steve Very intresting. [text was edited by author 2001-08-04 23:07:56]
	to forum · permalink · 2001-08-04 22:51:34 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	said by POOoOoOPs: OK CALMING DOWN. What is sadman virus? This is a virus that affects Unix machines, and your stupid virus scanner is reporting you as infected. It is lying to you because it sees the web page and thinks you are a web server. Really: relax, you are not infected. Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 22:57:00 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	reply to Steve The Code Red II reports have hit Bugtraq, so this is going to get interesting really quickly. Looks like I was one of the early reporters of this and have clearly the most published information on it. My web server is humming! Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 22:58:10 ·
AS400Dave join:2001-03-07 South Bend, IN	reply to Steve Yep, that website defacement absolutely is a SadMind infection -- totally different than the CodeRed going around. SadMind made a comeback too, recently As far as I know, it is only a server worm, and should have no effect on the browser... -- Try not to become a man of success, but rather a man of value. --Albert Einstein
	to forum · permalink · 2001-08-04 22:59:35 ·
AS400Dave join:2001-03-07 South Bend, IN	reply to Steve Good for you, Steve -- you deserve all the kudos you get!
	to forum · permalink · 2001-08-04 23:03:00 ·
RenHoek You Eeeediot Premium join:2000-10-02 Peyton, CO	reply to Steve said by SJFriedl: Looks like I was one of the early reporters of this and have clearly the most published information on it. My web server is humming! Steve Hmmm. I seem to remember that after my post here (»New Code Red signature?) you said that was the first you had heard of it. Now, who was it that first reported it???
	to forum · permalink · 2001-08-04 23:05:08 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	reply to stev32k said by stev32k: I apologize for wasting your precious time. Folks, in my frantic haste to attend to 57 things at once, I was much too short with our DSLR member from Mobile and easily appeared to publicly dismiss him. Though the "FCK US Government" web sites are the Code Red version #1 and do not apply here, my saying "not interesting" sounds like a personal* dismissal. It was a poor choice of words brought on by not previewing enough, and I very much appreciate anybody who's trying to help in here. Steve in Alabama: I'm sorry. Steve in California -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 23:06:43 ·

Broadband Tech > Security > Security > Code Red II worm analysis

Re: Code Red II worm analysis