FW: CodeRed Observations.

From: larosa, vjay (larosa_vjay@emc.com)
Date: 03/13/03

Next message: John H: "CANADA.EXE Findings"

Previous message: James C Slora Jr: "RE: Port 109 Mystery"
Next in thread: Rob Shein: "RE: CodeRed Observations."
Reply: Rob Shein: "RE: CodeRed Observations."
Reply: Russell Fulton: "Re: FW: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "larosa, vjay" <larosa_vjay@emc.com>
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Wed, 12 Mar 2003 19:48:08 -0500

> Hello,
>
> I have been watching this recent spike in CodeRed activity and one thing I
> am noticing
> is the lack of TCP session establishment. I am seeing common get strings
> like this showing
> up at my firewalls without ever establishing a TCP three way handshake. I
> have seen several
> hundred packets with in the last two days similar to this at my firewalls.
>
> 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida
> 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX
> 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
> 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
> 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
> Snip----------------------------------------------------------------------
> ------------------------------------------------------
>
> I find it awfully strange that there is no handshake (not even a single
> SYN to try and establish
> a session) but these packets show up anyway. I also am not seeing an
> increase of port 80
> scans in my firewall logs or with any of my IDS sensors. Is anybody else
> out there seeing the
> same things we are?
>
> Thanks!
>
> vjl
>
> V.Jay LaRosa EMC Corporation
> Information Security 4400 Computer Dr.
> (508)898-7433 office Westboro, MA 01580
> (508)353-1348 cell www.emc.com
> 888-799-9750 pager larosa_vjay@emc.com
>
>
>

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: John H: "CANADA.EXE Findings"

Previous message: James C Slora Jr: "RE: Port 109 Mystery"
Next in thread: Rob Shein: "RE: CodeRed Observations."
Reply: Rob Shein: "RE: CodeRed Observations."
Reply: Russell Fulton: "Re: FW: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: simple, adaptive bandwidth throttling with ipfw/dummynet ?
... to the rule for every active TCP session, ... a particular dummynet rule is currently in enforcement ... 'dummynet accumulation bucket details' is the details of the most recent ... 'Queued' refer to bytes and packets for that bucket currently queued ...
(freebsd-net)
Re: Newbie IPFW Questions
... At 08:18 PM 7/17/2005, Jim Campbell wrote: ... >131.175.189.134:9001 out via vr0 ... why isn't rule 225 allowing all the packets out ... Rule 225 will only match packets used to setup the tcp session, ...
(freebsd-questions)
Re: Newbie IPFW Questions
... >> I'm having problems setting up IPFW to communicate with an Onion router. ... why isn't rule 225 allowing all the packets ... while rule 225 allows you to establish a tcp session ...
(freebsd-questions)
Re: Newbie TCP/IP Socket Question
... Both the old and the new socket use port 12345. ... >> socket will only accept packets with the SYN flag set. ... >> packets sent by the connectcall to open a new connection. ... their TCP session number determines which socket they ...
(comp.unix.programmer)