skip at ...1552...
Fri Feb 22 13:14:02 EST 2002
> So what's the best thing to do with this type of attack? Turn'em in?
> To who? Is there a way I can let them know that I know what their
> doing? Any ideas?
> [**] [1:1256:2] WEB-IIS CodeRed v2 root.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:19.830419 220.127.116.11:2122 -> 18.104.22.168:80
> TCP TTL:119 TOS:0x0 ID:56151 IpLen:20 DgmLen:112 DF
> ***AP*** Seq: 0x79EC6CC Ack: 0x21AE2090 Win: 0x4248 TcpLen: 20
Unfortunately, there isn't a lot you can do about these attacks other than
defend yourself against them. I have gone as far as firewalling a few of
the very persistent servers.
I have tracked down sysadmins of the offending servers in some special cases
(hospitals, insurance companies, financial institutions, and government
The nearly universal response was "I didn't know we were running a web server
on that machine!" (a consequence of MS efforts to brag that they have more
deployed IIS servers than Apache, but turning on IIS by default). I suspect
that most admins that are actually purposefully using IIS have long since
their servers. Most of these admins of these infected systems have no idea
to do about fixing a problem that they didn't even know that they had, so if
do contact them, they would probably appreciate info on how to fix their
They clearly aren't running any type of IDS or they would have discovered
outbound traffic themselves.
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skip at ...1552...
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
Monterey, CA. 93940
More information about the Snort-users