Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: Anyone else seeing a rise in code red II?

  1. #11
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    The only port I've noticed as of late that's been attacked on my system is port 445. The only worm/trojan I know related to this port is "Apher".Supposedly it only effects Windows XP and 2000.
    And Noia, the best I could find about Port 35072 was on Internet Storm Center. Here's the link. This was best I could find.
    Port 35072 activity
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  2. #12
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    The only port I've noticed as of late that's been attacked on my system is port 445. The only worm/trojan I know related to this port is "Apher".Supposedly it only effects Windows XP and 2000.
    And Noia, the best I could find about Port 35072 was on Internet Storm Center. Here's the link. This was best I could find.
    Port 35072 activity
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  3. #13
    Senior Member
    Join Date
    Mar 2003
    Posts
    301
    The only ports that i am being hit at are 445 and 6346 so im not much help for you either. Other than that havent noticed anything out of the ordinary.

    PeacE
    -BoB

  4. #14
    Senior Member
    Join Date
    Mar 2003
    Posts
    301
    The only ports that i am being hit at are 445 and 6346 so im not much help for you either. Other than that havent noticed anything out of the ordinary.

    PeacE
    -BoB

  5. #15
    Senior Member
    Join Date
    Mar 2003
    Posts
    170

    Post

    Well this link might tell you some stuff about it.

    My source is: http://securityresponse.symantec.com...codered.f.html


    As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.

    CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant.

    Symantec antivirus products detect CodeRed.F as CodeRed Worm if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and remove this new variant.

    Please click here for information on how to best leverage Symantec technologies to combat the CodeRed threat.

    CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.

    If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/sec.../MS01-033.asp.

    A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/sec.../MS01-044.asp.

    In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/sec.../MS00-052.asp.



    Hope that helped!
    [glowpurple]NooNoo\'s [/glowpurple]

  6. #16
    Senior Member
    Join Date
    Mar 2003
    Posts
    170

    Post

    Well this link might tell you some stuff about it.

    My source is: http://securityresponse.symantec.com...codered.f.html


    As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.

    CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant.

    Symantec antivirus products detect CodeRed.F as CodeRed Worm if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and remove this new variant.

    Please click here for information on how to best leverage Symantec technologies to combat the CodeRed threat.

    CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.

    If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/sec.../MS01-033.asp.

    A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/sec.../MS01-044.asp.

    In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/sec.../MS00-052.asp.



    Hope that helped!
    [glowpurple]NooNoo\'s [/glowpurple]

  7. #17
    Senior Member
    Join Date
    Nov 2002
    Posts
    482
    Yes, i get a code red attack at least once every 5 mins. it seemed to have stopped now. sometime it would get one every 2 secs. i use sygate firewall and it just says code red attacks. it also gives me the source ip. but cause the log was getting filled up heaps, i cleared the log.

    there were two ip addresses but here is one of them thats stored in my ip tracer. i couldnt even get a whois on the ip address so....

    210.122.22.9

    <edit> now im getting hit every ten seconds. the ip is different but here it is. 210.52.32.159

    hope someone figures out whats happening and fixes it soon.

    </edit>

    <edit2> hey, i just recovered my log file. here are all the hits for red code i got. most of these span about 3 days and often come is short bursts instead of regular hits. for example, for about 5 mins i get continuous hits about 10sec interval ect. anyways, here are all the IP addresses that i am getting hit by (starting at most recent):

    210.52.32.159
    210.122.22.9
    210.52.46.233
    210.61.49.213
    210.181.239.150
    210.50.112.145

    </edit2>
    - Trying is the first step towards failure. the moral is never try.
    - It\'s like something out of that twilighty show about that zone.
    ----Homer J Simpson----

  8. #18
    Senior Member
    Join Date
    Nov 2002
    Posts
    482
    Yes, i get a code red attack at least once every 5 mins. it seemed to have stopped now. sometime it would get one every 2 secs. i use sygate firewall and it just says code red attacks. it also gives me the source ip. but cause the log was getting filled up heaps, i cleared the log.

    there were two ip addresses but here is one of them thats stored in my ip tracer. i couldnt even get a whois on the ip address so....

    210.122.22.9

    <edit> now im getting hit every ten seconds. the ip is different but here it is. 210.52.32.159

    hope someone figures out whats happening and fixes it soon.

    </edit>

    <edit2> hey, i just recovered my log file. here are all the hits for red code i got. most of these span about 3 days and often come is short bursts instead of regular hits. for example, for about 5 mins i get continuous hits about 10sec interval ect. anyways, here are all the IP addresses that i am getting hit by (starting at most recent):

    210.52.32.159
    210.122.22.9
    210.52.46.233
    210.61.49.213
    210.181.239.150
    210.50.112.145

    </edit2>
    - Trying is the first step towards failure. the moral is never try.
    - It\'s like something out of that twilighty show about that zone.
    ----Homer J Simpson----

  9. #19
    Senior Member
    Join Date
    Jul 2001
    Posts
    343

    Code Red 2 or 3 or Nimda

    Well I just checked 5 servers
    1 gets hit 7000+ a day
    another get hits of 40+ a dau
    even another gets it 8 times today...
    and 2 never got touched today....
    Go figure...

    All servers but 1 is on the same IP class

    This is for Nimda or Code Red II
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  10. #20
    Senior Member
    Join Date
    Jul 2001
    Posts
    343

    Code Red 2 or 3 or Nimda

    Well I just checked 5 servers
    1 gets hit 7000+ a day
    another get hits of 40+ a dau
    even another gets it 8 times today...
    and 2 never got touched today....
    Go figure...

    All servers but 1 is on the same IP class

    This is for Nimda or Code Red II
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •