Code Red

• Previous message (by thread): Code Red
• Next message (by thread): Code Red
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Only thing I have seen as far as attempts to attack a web server is the
following from an apache server:
(ip addy masked, although I did see some from a 10 addy)
10.10.18.109 - - [19/Jul/2001:09:03:53 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 205 "-" "-" 

I'm still not sure what this exploit does, other than return a strange error
page, not a 404 on an MS IIS system, but more like a "failed SQL query" page
on the ones I've tested. I've not had enough time to further this exploit.

As for the payload of these items, some of the systems that attempted this
seemed to be unpatched for the exploit regarding getting a root shell. Of
the ones I had been able to see the exploit on, there was an exe in the
scripts directory called root.exe, which turns out to be a copy of cmd.exe. 
In short, I would assume that if the boxes in question had that exploit any
number of payloads(timebombs) could have been deployed.

I just figure I'll put up a page called Default.ida on Apache server, some
ads and start charging for the hits..

Just my 2¢s
-Joe


-----Original Message-----
From: Dave Stewart [mailto:dbs at ntrnet.net]
Sent: Thursday, July 19, 2001 8:32 PM
To: nanog at merit.edu
Subject: Re: Code Red



At 11:12 PM 7/19/2001, lucifer at lightbearer.com wrote:
>Reports from our monitoring systems saw the CPU usage jump by somewhere
>between 150-200% for our core routers today; our current theory is that

Web servers that were hit beginning this morning at 11:26:41 EDT have not 
seen another attempt since 19:49:53.

I'm wondering if this because it was coming up on 00:00:00 GMT 20-July-2001.

According to the PC-Cillin write up, the 100-thread scan only takes place 
if the system date is less than 20, but if it's 20-28, it launches it's DOS 
attack at www1.whitehouse.gov

Does anybody really know yet what payloads this thing is carrying?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20010719/b0e3a4f7/attachment.html>

• Previous message (by thread): Code Red
• Next message (by thread): Code Red
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]