New Code Red signature?

Author	All Replies
RenHoek You Eeeediot Premium join:2000-10-02 Colorado Springs, CO	New Code Red signature? Noticed a new signature in my httpd access log file this morning. Is this a new mutation of Code Red? (Note the X's instead of N's). __________________Log Entry__________________________ 64.105.xxx.yyy - - [04/Aug/2001:06:49:07 -0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u68 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a HTTP/1.0" 404 236
	to forum · permalink · 2001-08-04 10:30:44 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	This is the first I've seen or heard of it, and I just checked my logs to find nothing. I've enabled capture on websnarf to save not only the URL above but the body of the submission: perhaps we've got something new on our hands. Thanks for the heads up! Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 11:00:32 ·

RenHoek You Eeeediot Premium join:2000-10-02 Colorado Springs, CO	reply to RenHoek All of the bytes after the "XX's" in my log that are visible are identical to Code red. Everything is the same except that the "NN's" have been replaced by "XX's".
	to forum · permalink · 2001-08-04 11:02:32 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	said by dwmorris: Everything is the same except that the "NN's" have been replaced by "XX's". The Code Red worm is about 4k long, and you're seeing just the first line of it that does the machine infection. The payload follows the first header line and contains the code that scans other machines. The infection mechanism is obviously good enough to not need modifications, but the payload is another story. It's likely that this is what's different, and I'll see if we can find examples of it. Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 11:05:09 ·
RenHoek You Eeeediot Premium join:2000-10-02 Colorado Springs, CO	reply to RenHoek Ok, this is getting wierd. I've had 65 of these in the last hour! Almost all of them have come from the 64.105.xxx.yyy network (covad, my ISP).
	to forum · permalink · 2001-08-04 11:07:01 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	Just for the record, the Code Red Scanner -- a testing tool -- has the signature GET /x.ida?AAAAAAAAA... These aren't a problem. Available at http://www.eeye.com Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 11:10:52 ·
RenHoek You Eeeediot Premium join:2000-10-02 Colorado Springs, CO	reply to RenHoek How do I go about capturing the entire payload to compare to the original Code Red? I'm running the apache server, not IIS.
	to forum · permalink · 2001-08-04 11:13:17 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	said by dwmorris: How do I go about capturing the entire payload to compare to the original Code Red? I'm not sure you can: I'm using my own tool (websnarf) for this, but it takes the place of the web server, not add to it. Do you have a spare IP address on that machine? Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 11:15:58 ·
RenHoek You Eeeediot Premium join:2000-10-02 Colorado Springs, CO	reply to RenHoek No, but I could take down the webserver for a while...just hosting some personal stuff.
	to forum · permalink · 2001-08-04 11:16:52 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	I've gotten one on my server as well, and I've managed to capture it. I've sent off a note to Bugtraq, as this looks like something new. Thanks for the heads up! Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 11:35:00 ·
nlocklin Hail To Pitt Premium join:2001-03-24 Pittsburgh, PA Reviews: ·Verizon FiOS	reply to RenHoek Wow, this is new. I saw the same signature (X's), and one IP tried that same code 12 times in a row! That's the first time I've seen any of the IP addresses duplicate themselves. And BlackIce is reporting a "Suspicious URL" from 0.0.0.0.... weird. Can't wait to hear about what new variation this is.
	to forum · permalink · 2001-08-04 12:21:38 ·
RJS830$ join:2001-05-29 Calgary, AB	reply to RenHoek I've gotten eight Code Red scans from seven different IP addresses in the last two hours, all with the X signature. This must be a new variant.
	to forum · permalink · 2001-08-04 12:39:06 ·
RenHoek You Eeeediot Premium join:2000-10-02 Colorado Springs, CO	reply to RenHoek Yep, I'm up to 95 of these wierdo's since about 5am this morning!
	to forum · permalink · 2001-08-04 12:45:36 ·
Ryan Premium join:2001-03-03 Attleboro, MA	reply to RenHoek Yea check out my post I had done eairlyer. »HOLY PORT 80
	to forum · permalink · 2001-08-04 12:48:08 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	reply to RenHoek said by dwmorris: Yep, I'm up to 95 of these wierdo's since about 5am this morning! I'm convinced this is a new strain, because I cannot find one reference to it on any of the security lists that I'm a member of. The odd part: the NNNN -vs- AAAA stuff shouldn't matter to the payload of the worm, because the real work is done by the parts that follow. Maybe the authors just wanted to make things a little easier for us? But one note: though this may be a new variant, it's not a new threat. If you were patched before, you are patched now, so this is nothing but a curiosity. DW: what was the timestamp on your first new scan? Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net [text was edited by author 2001-08-04 12:51:29]
	to forum · permalink · 2001-08-04 12:48:20 ·
RenHoek You Eeeediot Premium join:2000-10-02 Colorado Springs, CO	reply to RenHoek 64.105.xxx.yyy - - [04/Aug/2001:06:49:07 -0600] was the first one I saw...
	to forum · permalink · 2001-08-04 13:23:18 ·
kristofer5 join:2001-04-11 Sweden	reply to RenHoek This is definitely a new wave. I'm counting 17 CR-X attacks the last three hours while the usual CR-N counter only increased by 2. Do you have any info on if this one has a different payload, Steve?
	to forum · permalink · 2001-08-04 14:02:34 ·
Ryan Premium join:2001-03-03 Attleboro, MA	reply to RenHoek IM GUESSING IT IS CHECK OUT »CODE RED LOVES HTTP
	to forum · permalink · 2001-08-04 14:04:05 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	reply to kristofer5 said by kristofer: Do you have any info on if this one has a different payload, Steve? Very definitely a different payload. Very early writeup at http://www.unixwiz.net/techtips/CodeRedII.html . Unlike the early Code Red, which just modified memory and could be cleared with a reboot, this one might be destructive. Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 14:05:06 ·
kristofer5 join:2001-04-11 Sweden	shrug Fortunately I'm not running IIS and I'm patched against it I've learned that there is nothing wrong with being paranoid in computer security. Thanks Steve, you've got my thumb up!
	to forum · permalink · 2001-08-04 14:07:48 ·

Broadband Tech > Security > Security > New Code Red signature?