RE: 'Code Red' does not seem to be scanning for IIS

From: Duncan Hill (dhill@pct.edu)
Date: 07/20/01

• Previous message: Laurence Hand: "Re: Full analysis of the .ida "Code Red" worm."
• In reply to: Kelly Martin: "RE: 'Code Red' does not seem to be scanning for IIS"
• Next in thread: Stephen Cimarelli: "Re: 'Code Red' does not seem to be scanning for IIS"
• Next in thread: Ryan Russell: "Re: 'Code Red' does not seem to be scanning for IIS"
• Reply: Stephen Cimarelli: "Re: 'Code Red' does not seem to be scanning for IIS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 19 Jul 2001 20:14:47 -0400 (EDT)
From: Duncan Hill <dhill@pct.edu>
To: Kelly Martin <kellym@fb00.fb.org>
Subject: RE: 'Code Red' does not seem to be scanning for IIS
Message-ID: <Pine.LNX.4.33.0107192011340.2067-100000@bajan.pct.edu>

On Thu, 19 Jul 2001, Kelly Martin wrote:

> thousand hits on our IP block in the past six hours or so with none
> before that, and that doesn't even count the ones that smacked
> silently against the firewall (port 80 is only open through the
> firewall to hosts that actually run public web servers, which is
> only a tiny fraction of the IPs in the block).

Something I've noticed in our Apache logs - 70% of the hits (maybe 20 so
far) are from cable modem and adsl style addresses (according to the dig
data). Notably @home and mediaone.

I've attempted to mail some places that their server is infected. Of 5
mails sent, 3 bounced as undeliverable to webmaster@domain. One
actually routed through two aliases before bouncing!

Oh well, the Apache server is immune, the IIS server is patched, but
there are no hits in its logs (though there were plenty for the cmd.exe
exploit).

As a side note, our address block is in the 12.x.x.x range.. perhaps
AT&T isn't counted as a good target?

-- 
Sapere aude
My mind not only wanders, it sometimes leaves completely.

---

• Previous message: Laurence Hand: "Re: Full analysis of the .ida "Code Red" worm."
• In reply to: Kelly Martin: "RE: 'Code Red' does not seem to be scanning for IIS"
• Next in thread: Stephen Cimarelli: "Re: 'Code Red' does not seem to be scanning for IIS"
• Next in thread: Ryan Russell: "Re: 'Code Red' does not seem to be scanning for IIS"
• Reply: Stephen Cimarelli: "Re: 'Code Red' does not seem to be scanning for IIS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Being hacked... ... Are you offering a webserver and ftp server to users on the internet as per having ... FTP and HTTP open? ... For internet attacks what I would look for is patterns in the firewall ... I am not an expert on IIS by any means but I do know if you are using FTP and IIS you ... (microsoft.public.win2000.security) Re: IS IT SAFE TO HOST SQL SERVER AND IIS SERVER ON THE SAME MACHINE ... > safe to host a web application on a mchine outside of our firewall ... and the sql server would reside on this one machine. ... The vulnerabilities of Windows, IIS and SQL are well known, so you ... (microsoft.public.inetserver.iis.security) Use or Not to use ISA ... I am looking for advice on the best way to protect my web server. ... I currently sit behind a Symantec Gateway 360 security appliance firewall ... Win2k3 with IIS installed. ... small number of clients as well as my own. ... (microsoft.public.isa) Use or Not to use ISA ... I am looking for advice on the best way to protect my web server. ... I currently sit behind a Symantec Gateway 360 security appliance firewall ... Win2k3 with IIS installed. ... small number of clients as well as my own. ... (microsoft.public.security) Re: recieving error: Serivce Unavailable Internal-Reason 132 ... I think your firewall or some network device upstream from IIS is the ... > the problem is at the IIS server since changing a server ... This suggests that some network device upstream from IIS is not doing the ... (microsoft.public.inetserver.iis)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)