RE: CodeRed Observations.

From: Rob Shein (shoten@starpower.net)
Date: 03/13/03

Next message: Carey, Steve T GARRISON: "RE: Defaced website listing..."

Previous message: Douglas Brown: "Re: Port 109 Mystery"
In reply to: larosa, vjay: "FW: CodeRed Observations."
Next in thread: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: King, Brian: "RE: CodeRed Observations."
Maybe reply: King, Brian: "RE: CodeRed Observations."
Maybe reply: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: Rob Shein: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Rob Shein" <shoten@starpower.net>
To: "'larosa, vjay'" <larosa_vjay@emc.com>, <incidents@securityfocus.com>
Date: Thu, 13 Mar 2003 10:56:37 -0500

Check your filters. You might be looking at traffic through a selection
filter that doesn't show the handshake, so that you can concentrate on the
content that passes back and forth. That's what I usually find to be the
case when someone makes this kind of observation...

> -----Original Message-----
> From: larosa, vjay [mailto:larosa_vjay@emc.com]
> Sent: Wednesday, March 12, 2003 7:48 PM
> To: 'incidents@securityfocus.com'
> Subject: FW: CodeRed Observations.
>
>
> > Hello,
> >
> > I have been watching this recent spike in CodeRed activity and one
> > thing I am noticing is the lack of TCP session establishment. I am
> > seeing common get strings like this showing
> > up at my firewalls without ever establishing a TCP three
> way handshake. I
> > have seen several
> > hundred packets with in the last two days similar to this
> at my firewalls.
> >
> > 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET
> /default.ida 3F
> > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58
> ?XXXXXXXXXXXXXXX 58 58
> > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
> 58 58 58
> > 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58
> 58 58 58
> > 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
> >
> Snip------------------------------------------------------------------
> > ----
> > ------------------------------------------------------
> >
> > I find it awfully strange that there is no handshake (not even a
> > single SYN to try and establish a session) but these
> packets show up
> > anyway. I also am not seeing an increase of port 80
> > scans in my firewall logs or with any of my IDS sensors. Is
> anybody else
> > out there seeing the
> > same things we are?
> >
> > Thanks!
> >
> > vjl
> >
> > V.Jay LaRosa EMC Corporation
> > Information Security 4400 Computer Dr.
> > (508)898-7433 office Westboro, MA 01580
> > (508)353-1348 cell www.emc.com
> > 888-799-9750 pager larosa_vjay@emc.com
> >
> >
> >
>
> --------------------------------------------------------------
> --------------
>
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure">
> http://www.securityfocus.com/stillsecure </A>
>
>

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Carey, Steve T GARRISON: "RE: Defaced website listing..."

Previous message: Douglas Brown: "Re: Port 109 Mystery"
In reply to: larosa, vjay: "FW: CodeRed Observations."
Next in thread: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: King, Brian: "RE: CodeRed Observations."
Maybe reply: King, Brian: "RE: CodeRed Observations."
Maybe reply: larosa, vjay: "RE: CodeRed Observations."
Maybe reply: Rob Shein: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Protocol Specific Intrusion Detect/Prevention Systems.
... lists, mainly asking about firewalls and filters. ... Well, for some time now I have been researching within the realm of filters, ... IDSs and IPSs for limitations within these areas for my ...
(Security-Basics)
Re: Hardware Firewall Recommendation
... >>Some firewalls use application proxies rather than packet filters. ... specifying url filters to prevent uploads/downloads of specific urls ...
(comp.security.firewalls)
RE: CodeRed Observations.
... stateless, as it wouldn't be able to spread if it just sent data over TCP ... without establishing the handshake first. ... > There are no filters in place for viewing the firewall logs. ...
(Incidents)
Re: Possible to use mail command nowadays?
... and a lot of us sitting behind proxies and/or firewalls, with our spam ... filters, are you one of the rare ones that are still able to use the ...
(alt.os.linux)
Re: [fw-wiz] Firewall Primitives
... Certainly there are examples of firewalls that are little more than a ... trying to market something like that today probably ... alerting, and hooks for web content filters, spam filters, virus ...
(Firewall-Wizards)