RE: CodeRed Observations.

From: Rob Shein (shoten@starpower.net)
Date: 03/13/03

  • Next message: Rob Shein: "RE: CodeRed Observations." 
    From: "Rob Shein" <shoten@starpower.net>
To: "'larosa, vjay'" <larosa_vjay@emc.com>, <incidents@securityfocus.com>
Date: Thu, 13 Mar 2003 12:12:53 -0500

    Ok, here's another thought...is the IP address that the traffic apparently
    originates from actually accessible, and is it running a vulnerable IIS? I
    would think that if someone wanted to hide an attack, they'd hide amidst a
    huge amount of varied attack noise, rather than something so homogenous (and
    expected) as this.

    > -----Original Message-----
    > From: larosa, vjay [mailto:larosa_vjay@emc.com]
    > Sent: Thursday, March 13, 2003 11:59 AM
    > To: 'Rob Shein'; larosa, vjay; incidents@securityfocus.com
    > Subject: RE: CodeRed Observations.
    >
    >
    > Hi Rob,
    >
    > I'm not saying that the worm is stateless. I am saying that
    > the traffic I am seeing at my border firewalls (codered
    > strings) are not part of established sessions (stateless). I
    > was just trying
    > to figure out if this had something to do with the new
    > outbreak, or if
    > somebody is trying to trick me in to ignoring packets they
    > don't want me to see, so they are throwing a stateless attack
    > at me to hopefully hide the real attack under the guise of
    > CodeRed. Call me crazy but paranoia is my middle name.
    >
    > vjl
    >
    >
    > -----Original Message-----
    > From: Rob Shein [mailto:shoten@starpower.net]
    > Sent: Thursday, March 13, 2003 11:50 AM
    > To: 'larosa, vjay'; incidents@securityfocus.com
    > Subject: RE: CodeRed Observations.
    >
    >
    > I'd be careful and make sure, if I were you. I don't think
    > that the worm is stateless, as it wouldn't be able to spread
    > if it just sent data over TCP without establishing the
    > handshake first. When you just PSH without handshaking
    > first, your data gets rejected.
    >
    > > -----Original Message-----
    > > From: larosa, vjay [mailto:larosa_vjay@emc.com]
    > > Sent: Thursday, March 13, 2003 11:32 AM
    > > To: 'Rob Shein'; larosa, vjay; incidents@securityfocus.com
    > > Subject: RE: CodeRed Observations.
    > >
    > >
    > > There are no filters in place for viewing the firewall logs.
    > > Even if there were, the attacks I am seeing are even targeted
    > > to IP addresses that are not up and on-line in my network. So
    > > how would a "get default.ida?XXX" string be sent to a host that
    > > is,
    > >
    > > a) Not up on the network.
    > > b) Behind a firewall that blocks ALL incoming port 80.
    > >
    > > If there is no three way handshake to set up a TCP session
    > > I should not see this data trying to flow to my hosts (Dead
    > > IP's or even live IP's). The traffic I am seeing is stateless
    > > (Stick/Snot).
    > >
    > > vjl
    > >
    > > -----Original Message-----
    > > From: Rob Shein [mailto:shoten@starpower.net]
    > > Sent: Thursday, March 13, 2003 10:57 AM
    > > To: 'larosa, vjay'; incidents@securityfocus.com
    > > Subject: RE: CodeRed Observations.
    > >
    > >
    > > Check your filters. You might be looking at traffic through
    > > a selection filter that doesn't show the handshake, so that
    > > you can concentrate on the content that passes back and
    > > forth. That's what I usually find to be the case when
    > > someone makes this kind of observation...
    > >
    > > > -----Original Message-----
    > > > From: larosa, vjay [mailto:larosa_vjay@emc.com]
    > > > Sent: Wednesday, March 12, 2003 7:48 PM
    > > > To: 'incidents@securityfocus.com'
    > > > Subject: FW: CodeRed Observations.
    > > >
    > > >
    > > > > Hello,
    > > > >
    > > > > I have been watching this recent spike in CodeRed
    > activity and one
    > > > > thing I am noticing is the lack of TCP session
    > > establishment. I am
    > > > > seeing common get strings like this showing
    > > > > up at my firewalls without ever establishing a TCP three
    > > > way handshake. I
    > > > > have seen several
    > > > > hundred packets with in the last two days similar to this
    > > > at my firewalls.
    > > > >
    > > > > 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET
    > > > /default.ida 3F
    > > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58
    > > > ?XXXXXXXXXXXXXXX 58 58
    > > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
    > > > 58 58 58
    > > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58
    > > > 58 58 58
    > > > > 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
    > > > >
    > > >
    > >
    > Snip------------------------------------------------------------------
    > > > > ----
    > > > > ------------------------------------------------------
    > > > >
    > > > > I find it awfully strange that there is no handshake
    > (not even a
    > > > > single SYN to try and establish a session) but these
    > > > packets show up
    > > > > anyway. I also am not seeing an increase of port 80
    > > > > scans in my firewall logs or with any of my IDS sensors. Is
    > > > anybody else
    > > > > out there seeing the
    > > > > same things we are?
    > > > >
    > > > > Thanks!
    > > > >
    > > > > vjl
    > > > >
    > > > > V.Jay LaRosa EMC Corporation
    > > > > Information Security 4400 Computer Dr.
    > > > > (508)898-7433 office Westboro, MA 01580
    > > > > (508)353-1348 cell www.emc.com
    > > > > 888-799-9750 pager larosa_vjay@emc.com
    > > > >
    > > > >
    > > > >
    > > >
    > > > --------------------------------------------------------------
    > > > --------------
    > > >
    > > > <Pre>Lose another weekend managing your IDS?
    > > > Take back your personal time.
    > > > 15-day free trial of StillSecure Border Guard.</Pre>
    > > > <A href="http://www.securityfocus.com/stillsecure">
    > > > http://www.securityfocus.com/stillsecure </A>
    > > >
    > > >
    > >
    >

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

  • Next message: Rob Shein: "RE: CodeRed Observations."

    Relevant Pages

    • RE: CodeRed Observations.
      ... stateless, as it wouldn't be able to spread if it just sent data over TCP ... without establishing the handshake first. ... > There are no filters in place for viewing the firewall logs. ...
      (Incidents)
    • RE: CodeRed Observations.
      ... huge amount of varied attack noise, rather than something so homogenous (and ... > the traffic I am seeing at my border firewalls (codered ... > strings) are not part of established sessions (stateless). ...
      (Incidents)
    • RE: CodeRed Observations.
      ... I'm not saying that the worm is stateless. ... traffic I am seeing at my border firewalls ... without establishing the handshake first. ...
      (Incidents)
    • Hardys vs Cade/Murdoch
      ... they should swerve us by having the HARDYs be the ones that attack ... after the handshake instead of Cade/Murdoch. ...
      (rec.sport.pro-wrestling)
    • Re: Hardys vs Cade/Murdoch
      ... they should swerve us by having the HARDYs be the ones that attack ... after the handshake instead of Cade/Murdoch. ... You make stupid suggestions. ...
      (rec.sport.pro-wrestling)