RE: CodeRed Observations.

From: Rob Shein (shoten@starpower.net)
Date: 03/13/03

Next message: larosa, vjay: "RE: CodeRed Observations."

Previous message: Rob Shein: "RE: CodeRed Observations."
In reply to: larosa, vjay: "RE: CodeRed Observations."
Next in thread: Michał Rogala: "RE: CodeRed Observations."
Reply: Michał Rogala: "RE: CodeRed Observations."
Reply: Rob McCauley: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Rob Shein" <shoten@starpower.net>
To: "'larosa, vjay'" <larosa_vjay@emc.com>, <incidents@securityfocus.com>
Date: Thu, 13 Mar 2003 11:49:54 -0500

I'd be careful and make sure, if I were you. I don't think that the worm is
stateless, as it wouldn't be able to spread if it just sent data over TCP
without establishing the handshake first. When you just PSH without
handshaking first, your data gets rejected.

> -----Original Message-----
> From: larosa, vjay [mailto:larosa_vjay@emc.com]
> Sent: Thursday, March 13, 2003 11:32 AM
> To: 'Rob Shein'; larosa, vjay; incidents@securityfocus.com
> Subject: RE: CodeRed Observations.
>
>
> There are no filters in place for viewing the firewall logs.
> Even if there were, the attacks I am seeing are even targeted
> to IP addresses that are not up and on-line in my network. So
> how would a "get default.ida?XXX" string be sent to a host that
> is,
>
> a) Not up on the network.
> b) Behind a firewall that blocks ALL incoming port 80.
>
> If there is no three way handshake to set up a TCP session
> I should not see this data trying to flow to my hosts (Dead
> IP's or even live IP's). The traffic I am seeing is stateless
> (Stick/Snot).
>
> vjl
>
> -----Original Message-----
> From: Rob Shein [mailto:shoten@starpower.net]
> Sent: Thursday, March 13, 2003 10:57 AM
> To: 'larosa, vjay'; incidents@securityfocus.com
> Subject: RE: CodeRed Observations.
>
>
> Check your filters. You might be looking at traffic through
> a selection filter that doesn't show the handshake, so that
> you can concentrate on the content that passes back and
> forth. That's what I usually find to be the case when
> someone makes this kind of observation...
>
> > -----Original Message-----
> > From: larosa, vjay [mailto:larosa_vjay@emc.com]
> > Sent: Wednesday, March 12, 2003 7:48 PM
> > To: 'incidents@securityfocus.com'
> > Subject: FW: CodeRed Observations.
> >
> >
> > > Hello,
> > >
> > > I have been watching this recent spike in CodeRed activity and one
> > > thing I am noticing is the lack of TCP session
> establishment. I am
> > > seeing common get strings like this showing
> > > up at my firewalls without ever establishing a TCP three
> > way handshake. I
> > > have seen several
> > > hundred packets with in the last two days similar to this
> > at my firewalls.
> > >
> > > 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET
> > /default.ida 3F
> > > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58
> > ?XXXXXXXXXXXXXXX 58 58
> > > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
> > 58 58 58
> > > 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58
> > 58 58 58
> > > 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
> > >
> >
> Snip------------------------------------------------------------------
> > > ----
> > > ------------------------------------------------------
> > >
> > > I find it awfully strange that there is no handshake (not even a
> > > single SYN to try and establish a session) but these
> > packets show up
> > > anyway. I also am not seeing an increase of port 80
> > > scans in my firewall logs or with any of my IDS sensors. Is
> > anybody else
> > > out there seeing the
> > > same things we are?
> > >
> > > Thanks!
> > >
> > > vjl
> > >
> > > V.Jay LaRosa EMC Corporation
> > > Information Security 4400 Computer Dr.
> > > (508)898-7433 office Westboro, MA 01580
> > > (508)353-1348 cell www.emc.com
> > > 888-799-9750 pager larosa_vjay@emc.com
> > >
> > >
> > >
> >
> > --------------------------------------------------------------
> > --------------
> >
> > <Pre>Lose another weekend managing your IDS?
> > Take back your personal time.
> > 15-day free trial of StillSecure Border Guard.</Pre>
> > <A href="http://www.securityfocus.com/stillsecure">
> > http://www.securityfocus.com/stillsecure </A>
> >
> >
>

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: larosa, vjay: "RE: CodeRed Observations."

Previous message: Rob Shein: "RE: CodeRed Observations."
In reply to: larosa, vjay: "RE: CodeRed Observations."
Next in thread: Michał Rogala: "RE: CodeRed Observations."
Reply: Michał Rogala: "RE: CodeRed Observations."
Reply: Rob McCauley: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: CodeRed Observations.
... huge amount of varied attack noise, rather than something so homogenous (and ... > strings) are not part of established sessions (stateless). ... >> There are no filters in place for viewing the firewall logs. ... >> If there is no three way handshake to set up a TCP session ...
(Incidents)
RE: CodeRed Observations.
... Check your filters. ... filter that doesn't show the handshake, so that you can concentrate on the ... >> up at my firewalls without ever establishing a TCP three ... > Take back your personal time. ...
(Incidents)
RE: CodeRed Observations.
... I'm not saying that the worm is stateless. ... traffic I am seeing at my border firewalls ... without establishing the handshake first. ...
(Incidents)
Re: slow/dead ftp upload [was: ftp client & firewall config]
... >and is negotiated during the handshake over the control connection. ... >You'd need a firewall that snooped on the handshake packets and figured ... >out which the data port was in order to let non-passive ftp through. ...
(comp.os.linux.misc)