[SLUG] Insight on Code Red II

From: Kai Lien (kai@lenseco.com)
Date: Mon Aug 06 2001 - 21:30:44 EDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What is everyone's view on Code Red II?

After being bombared with over few thousands of hits over the weekend, I
decided to learn as much about Code Red II as I can. Besides deface IIS
web pages, it does much more. It also replaces explorer.exe and copy
cmd.exe to root.exe. To learn more, check out http://incidents.org.

After scanning over the web logs, it came to me that I have a collection
of IPs with machines that are compromised. Since I do not run IIS, Code
Red does not affect me. However, the machines that are trying to use this
exploit on my box are already infected. In essence, my apache log is
telling me which machines I can easily manipulate. In a round about way, I
have a "honey-pot" box for compromised machines!

Althought I would not do it, any "hacker" could easily dameage those
compromised machines with something as simple as this:

get /scripts/root.exe?/c+any_dos_command+c:\

With this collections of IPs, "hackers" no longer needs to find / scan for
compromised machines. One can go down the list one by one.

Another insight is the number of tampabay.rr hostnames in the log. My logs
are stored in a MySQL db. I use select distinct IP where hostname like
'%tampabay%' to filter out the list. There were close to 60 distinct IPs
with tampabay hostname. Not too bad for tampabay area. From my own
numbers, less than 5% of all attack are from the tampabay.rr domain.

Please share your thoughts on Code Red II.

- --

Kai Lien

Lense Consulting Company
www.lenseco.com

Fortune Cookie of the Day:

Professional wrestling: ballet for the common man.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7b0TJztiWgzm9RMARAq/1AJ9KuvzKGR4rJizYyRJAo0+FYcU4lQCeJvE2
oew+t0kXLKU3oP3/4b2MIrA=
=WYlc
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:45:33 EDT