 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
| reply to Steve
Re: Code Red II worm analysis Tidbit: the worm seems to exit if the current month is 10/2001 or later -- so it's finished in October (assuming your clock is right).
Steve
[text was edited by author 2001-08-04 22:01:44] |
|
| I keep getting this server busy message.
I'm going to start probing these hits to see if I can find a common denominator.
Page I get:
The page cannot be displayed
There are too many people accessing the Web site at this time.
--------------------------------------------------------------------------------
Please try the following:
Click the Refresh button, or try again later.
Open the adsl-61-4-56.mia.bellsouth.net home page, and then look for links to the information you want.
HTTP 403.9 - Access Forbidden: Too many users are connected
Internet Information Services
--------------------------------------------------------------------------------
Technical Information (for support personnel)
Background:
This error can occur if the Web server is busy and cannot process your request due to heavy traffic.
More information:
Microsoft Support
|
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Publius:
I keep getting this server busy message.
This is not a surprise, because I think the worm actually disables the server. But some of them have inevitably been rebooted since they hit your logs, so if you go through enough (dozens, perhaps), you may find some that are up. I would start with the older entries in your logs and work to newer.
If this sounds tedious, "welcome to the world of security research" 
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
|
|
| reply to Steve
Steve, you've hooked my curiosity
I'll have a look at that wormie thing (thank's for posting it btw). My tools: Hackers View (HIEWxxx) DOS on-the-fly disassembly file browser, and W32DASM - code file creator and debugger. Perfect - small and fast - disassembly environment.
But due to a disk-crash I'll have to work on a 486. Only machine left with a Win system.
This variant is now the main one in my log file. Concluded by the neighbourhood preference... |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Kesh:
I'll have a look at that wormie thing (thank's for posting it btw). My tools: Hackers View (HIEWxxx) DOS on-the-fly disassembly file browser, and W32DASM - code file creator and debugger. Perfect - small and fast - disassembly environment.
Well it's nice to have more eyes on the project besides eEye
I'm using Sourcer, which is just a horrid piece of software under NT (limit of 8-char labels, for instance). I'm also hampered by not being very good with the whole world of segment registers.
More tidbits for the assembler dudes: there is a chunk of data referenced by DWORD PTR DS:[0FFFFFE58H][EBP] where the hex is replaced by some other offset. I am fuzzy on the addressing (though I know these are ultimately negative numbers), but I've found some correspondences to real variables:
0FFFFFE58H my IP address
0FFFFFE5CH generic 260-byte string buffer
0FFFFFE3CH buffer for SYSTEMTIME
0FFFFFE38H 0 for new infections, 1 for second visits by new worms
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | By the way: if you're going to dig at the assembler, you must have the analysis done by the eEye folks -- it's a fantastic starting point, and I'm pretty sure I'd not have even tried this without their outstanding initial research. The web page is at http://www.eeye.com/html/Research/Advisories/AL20010717.html , but you have to download a ZIP file that has the detailed analysis and disassembler.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
| reply to Kesh
I got a total of 114 probes from the first CodeRed. So far I've gotten 160 from this one from 105 distinct IPs. The common thing about the new one appears to be that they're all from 24.x.y.z where my current IP is a 24.159.a.b address. It must just vary the last 3 octets of the IP. Not just from my ISP but rather all other addresses in the same Class A subnet sort of. |
|
