IDing CR vs CRII vs harmless Port 80

What do I need to determin if a port 80 hit is harmless or a CR hit?  Do I
have to see that it's trying to hit that one file?  (My home firewall
doesn't log that.)  Anything else to look for?

Thanks in advance,

Eric
0
Eric
8/8/2001 9:30:00 PM
grc.news.feedback 4181 articles. 0 followers. Follow

10 Replies
902 Views

Similar Articles

[PageSpeed] 11
Get it on Google Play
Get it on Apple App Store

Eric R Mims wrote:
> 
> What do I need to determin if a port 80 hit is harmless or a CR hit?  Do I
> have to see that it's trying to hit that one file?  (My home firewall
> doesn't log that.)  Anything else to look for?
> 
> Thanks in advance,
> 
> Eric

Two ways to tell, a) run some program (netcat) that can monitor port 80
and capture the full request, then look for "default.ida?NNNN" or
"default.ida?XXXX". or b) if youre running a normal webserver, the
server access logs should show the default.ida items listed above.

-- 
_____________________________________________________________________
 _ __  __           MicroChip Technical Services - http://mctech.org/
| '  \/ _|            PCHelpers International - http://pchelpers.org/
|_|_|_\__|           Backwoods Communications - http://backwoods.org/

-3- Remember the Legend - Dale Earnhardt
Hackers and crackers and Trojans, oh my! - Ray F. Jones

The only constant in the universe is change.
Always stop and smell the roses.
0
mc
8/8/2001 9:46:00 PM
Ahhh, the obvious.
Thanks again,
Eric

"mc" <invalid@centurytel.net> wrote in message
news:3B71B329.B726F22F@centurytel.net...
> Two ways to tell, a) run some program (netcat) that can monitor port 80
> and capture the full request, then look for "default.ida?NNNN" or
> "default.ida?XXXX". or b) if youre running a normal webserver, the
> server access logs should show the default.ida items listed above.
0
Eric
8/8/2001 10:08:00 PM
On Wed, 08 Aug 2001 17:46:17 -0400, mc retorted that:...

> 
> Two ways to tell, a) run some program (netcat) that can monitor port 80
> and capture the full request, then look for "default.ida?NNNN" or

I have a question in this line please. I am running CommView -- I see 
sets of three SYN packets from hundreds of different IP's.

However, there is never any readable data in those "Three". No 'GET' and 
so forth -- I am 'Stealth', no ACK is returned- and I get no more from 
the respective intruder -- is there any thing I am missing? 

Note though, I am running WinME -- no server on this box. Just had to 
ask, I keep looking for the 'default.ida' and so forth, but never get to 
see it.

Thanks alot ...
0
Frobozz
8/8/2001 10:26:00 PM
Frobozz <wave_wand@the_troll.gov> wrote in message
news:9ksebc$1g2e$1@news.grc.com...
> On Wed, 08 Aug 2001 17:46:17 -0400, mc retorted that:...
>
> > Two ways to tell, a) run some program (netcat) that can monitor port
80
> > and capture the full request, then look for "default.ida?NNNN" or
>
> I have a question in this line please. I am running CommView -- I see
> sets of three SYN packets from hundreds of different IP's.
>
> However, there is never any readable data in those "Three". No 'GET'
and
> so forth -- I am 'Stealth', no ACK is returned- and I get no more from
> the respective intruder -- is there any thing I am missing?

You're seeing all you're going to, unless you start running a program
that replies on port 80, like a webserver. The first step on a
connection is for an incoming SYN packet. Your server replies, letting
the other machine know you're ready to start talking. Then the HTTP
request for "default.ida?...." comes after that. Since you don't  have a
webserver running, nothing on your machine will reply to ACK the SYN
packet, so after a few no-answers, the incoming machine gives up and
looks elsewhere.

tom
0
Tom
8/9/2001 1:05:00 AM
Eric R Mims wrote:
> 
> What do I need to determin if a port 80 hit is harmless or a CR hit?  Do I
> have to see that it's trying to hit that one file?  (My home firewall
> doesn't log that.)  Anything else to look for?

I believe you would need to trap and to analyze the packet. Port 80 was
typically hit every several days until Code Red; now, every few minutes.
You can reasonably infer that any port 80 event is CodeRed. The flavor
can only be determined by analyzing the probe.

Mike
-- 
mrichter@cpl.net
http://www.mrichter.com/
0
Mike
8/9/2001 1:55:00 AM
On Wed, 8 Aug 2001 21:05:20 -0400, Tom Moeller retorted that:...

> You're seeing all you're going to, unless you start running a program
> that replies on port 80, 


Tom -- thanks much for the clear explanation. I did some reading, via 
google, earlier --- and was trying to decide if that what was occurring 
---
And now I know. Thanks!
0
Frobozz
8/9/2001 2:03:00 AM
"Mike Richter" <mrichter@cpl.net> wrote in message
news:3B71EDA7.D234E7B0@cpl.net...
> Eric R Mims wrote:
> >
> > What do I need to determin if a port 80 hit is harmless or a CR hit?
Do I
> > have to see that it's trying to hit that one file?  (My home
firewall
> > doesn't log that.)  Anything else to look for?
>
> I believe you would need to trap and to analyze the packet. Port 80
was
> typically hit every several days until Code Red; now, every few
minutes.
> You can reasonably infer that any port 80 event is CodeRed. The flavor
> can only be determined by analyzing the probe.

I'm still struggling to do this, but it may be possible to write a
program to read the probe, hash it using MD5, and compare it to known
worm hashes.  Then, trigger an alert when a new variant appears.

--
Robert Bradley
0
Robert
8/9/2001 2:38:00 PM
In article <9kufvp$1508$1@news.grc.com>, 
robert.bradley_family@btinternet.com says...
| "Mike Richter" <mrichter@cpl.net> wrote in message
| news:3B71EDA7.D234E7B0@cpl.net...
| > Eric R Mims wrote:
| > > What do I need to determin if a port 80 hit is harmless or a CR hit?

| > I believe you would need to trap and to analyze the packet. 
| I'm still struggling to do this, 
| program to read the probe, hash it using MD5, and compare it to known
| worm hashes.  Then, trigger an alert when a new variant appears.

This objective accomplished for me easily by:

Running 80cap.bat by PC-Help posts in grc.techtalk

IPE run real time, report only:
IPE pops up and identify CodeRed, II, ver C etc for known 
versions.

New versions of worm are identified as those saved worms 
without such ident by IPE.

PC-Help gave command dir /p /os *.bin for quick review based on 
byte size; and directions for MD5 analyses reporting also.

I think this does what you wanted, and more, except the auto 
alert to new variant.  Hard to separate new variant from
other worms attacking port 80.  What makes
something Code Red IV, not Code Alert v.1, or some other name?

Kind Sir
0
Kind
8/9/2001 5:58:00 PM
Salaam!

Kind Sir wrote:

> This objective accomplished for me easily by:
> Running 80cap.bat by PC-Help posts in grc.techtalk

   Which I've modified to run in its own directory, where it also writes
the output files which I've renamed to binxxx.txt, hexxxx.txt, and
arpxxx.txt -- so I can doubleclick them into Metapad (currently waiting
for worm capture #306).  I'm also running eSTOP!, which displays the
source IP address which I add to another text file (currently 680 unique
IP addresses).  I then run the DOS fc (file compare) utility, using the
seven variants I've captured for the comparison, until I find one that
matches (or add a new variant and look at it).

> IPE run real time, report only: IPE pops up and identify
> CodeRed, II, ver C etc for known versions.

   I ran IPE with today's Minor dat file v1393 on my seven variants,
which discloses:

   crvia.txt (IIS.CodeRed worm)
   crvib.txt (IIS.CodeRed worm)
   crvic.txt (IIS.CodeRed worm)
   crvid.txt (IIS.CodeRed worm)
   crviia.txt (IIS.CodeRed.C worm)
   crviib.txt (IIS.CodeRed.C worm)
   crviic.txt (IIS.CodeRed.C worm)

   CRvI is the July 19 worm, CRvII is the August worm.  So IPE
distinguishes the August worm as ".C" and otherwise does not identify
variances.  It does not find the worm until it's written to a file,
though.

> New versions of worm are identified as those saved worms
> without such ident by IPE.

> PC-Help gave command dir /p /os *.bin for quick review based on
> byte size; and directions for MD5 analyses reporting also.

> I think this does what you wanted, and more, except the auto
> alert to new variant.  Hard to separate new variant from
> other worms attacking port 80.  What makes
> something Code Red IV, not Code Alert v.1, or some other name?

   I think I don't understand your question.  The variants of CRvI
(four) have differences in the execution code; the variants of CRvII
(three) have added lines that look like they may be proxy information;
but no one has answered my questions from the post where I included the
lines where those differences appear in each of the three CRvII
variants.  Almost all of the worms I see are CRvIIa, an occasional
CRvIa, and only one or two each of the other variants.  I find the
variants with File Compare.

> Kind Sir

was-salaam,
abujamal
-- 
PCHelpers:  Putting the "Personal" into "Personal Computers"
           and closing the door on the tyranny of ignorance.
PCHelpers International:  http://www.pchelpers.org/
news://news.pchelpers.org  mailto:pchelpers@pchelpers.org
0
abujamal
8/9/2001 7:00:00 PM
In article <3B72DDB5.C9B59D56@earthlink.net>, 
muslims@earthlink.net says...
| Salaam!
| 
| Kind Sir wrote:
| 
| > This objective accomplished for me easily by:

Abujamal aka muslims,
Peace brother!  I thought I was replying to someone else.
Oh well. :-)  It's day two on my news reader Gravity!

When ever I jump into thread I have not been following,
makes me look silly.  But at least it doesn't make
me look mean spirited. That just wouldn't be right for
"Kind Sir". :-)

Yes, I run it as \misc\cap\80cap.bat saving to .\80cap\

| > Running 80cap.bat by PC-Help posts in grc.techtalk
| 
|    Which I've modified to run in its own directory, 
| binxxx.txt, hexxxx.txt, and arpxxx.txt 

|    I ran IPE with today's Minor dat file v1393 on my seven variants,
| which discloses:
| 
|    crvia.txt (IIS.CodeRed worm)
|    crvib.txt (IIS.CodeRed worm)
|    crvic.txt (IIS.CodeRed worm)
|    crvid.txt (IIS.CodeRed worm)
|    crviia.txt (IIS.CodeRed.C worm)
|    crviib.txt (IIS.CodeRed.C worm)
|    crviic.txt (IIS.CodeRed.C worm)
 
|    CRvI is the July 19 worm, CRvII is the August worm.  So IPE
| distinguishes the August worm as ".C" and otherwise does not identify
| variances.  

| > What makes
| > something Code Red IV, not Code Alert v.1, or some other name?
| 
|    I think I don't understand your question.  The variants of CRvI
| (four) have differences in the execution code; the variants of CRvII
| (three) have added lines that look like they may be proxy information;

When you find a new variant worm entering on port 80,
how does one decide on a name for it, unless looking at
it's hex it includes it's own "name"?
This is more a philosophy and linguistics question, than a 
programming question.

| but no one has answered my questions from the post where I included the
| lines where those differences appear in each of the three CRvII
| variants.  Almost all of the worms I see are CRvIIa, an occasional
| CRvIa, and only one or two each of the other variants.  I find the
| variants with File Compare.

I get a few one time captures (based on different byte 
lengths).  I suspect this are partial captures due to
interference by a disconnect, IPE, or something.
I don't know they are unique, virulent worm variants.
If I get the same byte length 2 or more times,
only then do I have replicated event suggesting
new worm variant.

| was-salaam,

Kind Sir 
0
Kind
8/9/2001 8:05:00 PM
Reply:

Similar Artilces:

\ vs / vs %
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, I am pretty new to perl so I assume you guys and girls will starting getting to know me really well. I have a one line snippet of code that I am trying to run. The system is win2k sp3. I am trying to run the expand command and pass to it some arguments that contain system variables. The code: #Ok we have renamed the files now we need to run the expand command: system("expand perfc009.DA_ %windir%\\system32\\perfc009.DAT") && die "no $!"; and when I run I get it: C:\Perf>per...

VS 2005 vs VS 2008
Hi all ,                  Iam using VS2005 till now and i want to grade up my self with the VS2008 then what are the Added Advantage for me as a DEVELOPER and as a Teamlead as a Project ManagerNothing is impossible as the IMPOSSIBLE word itself says I M Possible...just you have to try..u get all what you desirePradeep BishtBLOG ::--> http://dotnetarmy.blogspot.com/URL ::--> http://www.asp.net   check this URL, http://weblogs.asp.net/cschittko/archive/2007/10/08/visual-studio-2005-or-...

PORT 80 CONFLICT = PWS vs. IIS 5.1 -- Frontpage has detected a web server conflict on Port 80
Could someone tell me where I can fix the conflict on Port 80? I don't know how to get to this screen. All I want to do is start developing applications in .net. I am trying to create a new project in MS Visual Studio.net. However, I get this error: "frontpage has detected a web server conflict on Port 80, which has server extentions for the Frontpage Personal Web Server (PWS) but is running a Microsoft-IIS/5.1 server. Frontpage requires that you install the FrontPage Extensions on this new server before using it. Would you like to see help on how to do this?" I don...

Panel vs PlaceHolder vs UpdatePanel vs ???
I have a need to add controls to a form dynamically.The control type, number, order, properties, etc. will not be known until run time so no controls can be predefined. In general, a source defines which controls must be added to a form, a user will make some entries/selections and submit.On postback, the user's submission will be processed and some controls' property values, perhaps even the controls themselves, will change with the updated results displayed to the user. There are numerous ways to handle dynamic controls.I've considered Panels, Pl...

VS 2005 Vs VS 2008 #2
Hi, Can anyone let me know the updates in VS 2008 over VS 2005.    Hi, for example: http://weblogs.asp.net/cschittko/archive/2007/10/08/visual-studio-2005-or-2008-what-s-more-risk.aspxThanks,Teemu KeiskiFinland, EU...

Confused between XMLDocument vs XPathDocument vs XMLTextReader vs SAX vs DOM
Hello, I am confused between XMLDocument vs XPathDocument vs XMLTextReader vs SAX vs DOM when to use which? I have to parse an xml document in VS 2005 using C#. Can someone answer this...just want to know the if I can use SAX in .NET or use the regular lib's...

How to make VS 2008 IDE the same as VS 2005?
I used VS 2005 for three years and like its IDE.I upgrade to VS 2008 but its IDE drove me crazy even though setting file was imported from VS 2005!For example, in VS 2005, I can drag and drop any control into any position (absolute position) but in VS 2008 I need to change manually.Also, every time when I add new control in the form, so many things around the control appear, such as line, tab... which I really do not need!Can someone show me how to make VS 2008 IDE the same as VS 2005?   The designer is completely different (no common code) so you cannot make 100% the same as 2005. ...

GridView vs DataList vs Repeater vs Formview vs DetailsView
In development there is always a question which control to choose. I think many developers including myself are not clear on which control should be should for which purposes. Can you pls explain what are the pros and cons of these controls and also why some say that Gridview is a heavy control and repeater is a light control what does that mean. what makes a control heavy and what makes a control light......does it really matter in professional applications  which control you use? kindly throw some light. thanks. Still kind of new myself, but this is what my book says:Control - Cap...

//p vs ($??{ }) vs ...
Let me see if I can translate for you. I hate impasses, especially on stuff I'm using :-) I believe Ilya wants to make a //p option that will postpone regexp interpolation on all variables used in the regexp until match time: $foo = "then"; $re = qr/$foo/p; $foo = "now"; "how now" =~ /$re/ && print "This should match"; With RC1 (which doesn't have //p), you have to write that as: $re = /(??{ $foo})/; Sarathy seems to be a little confused about the interaction between //p and (?{ ... }) blocks. My und...

array vs arraylist vs dropdownlist vs ListBox
I am still learning a lot about asp.net. I have code where I am loading an sqlObjectReader with multiple field records and i am looking at different ways to parse and store the records I get. So, I am thinking that I would like to use the sqlObjectReader.read method, to run through all of the records it has, and to store those records in a different object type. It looks like the dropdownlist, listbox, and arraylist only allow for me to have one item per row, which doesn' t meet what I want. Can I do this with an array ? Or, is there no easy way to add these items dynamically ...

SCSI vs IDE pro vs con question
Can some one give me a good explaination about the pros and cons of IDE vs SCSI hard drives? After buying 2 dozen IDEs and all of the dying under a year of use <all different brands> I switched to SCSI and these drives run so flawless that I havent had a single problem in the 6 years I've had them. However as you can imagine 6 year old HD's are kinda small and slow by todays standards and I'd like to upgrade, but I'm not sure if I should get some of the new IDE's hopeing they dont die on me yet again, or if I should stick with SCSI. I'm serious 25 IDE...

IBS vs. DNN vs. RP vs. PSK
What are the main differences between the IBuySpy, DotNetNuke, Rainbow Portal, and Portal Starter Kit tools? I'm just starting to look at them and don't really want to dig down into each individual one to find its pros/cons. Can someone point me to an existing assessment? I know that DNN is based on IBS (I think Rainbow is, too), but I don't know what was added/changed. Nor do I know how these differ from the starter kit that was released by Microsoft. If anyone can help me out, here, I'd really appreciate it. Thanks.Michael Flanakin | Microsoft Consulting Serviceswww.michaelflanakin.com ...

New features in VS 2008 vs VS 2005
Hello friends !! I'm completly new in Visual Studio 2008, Let me know  what are the advantages to use VS 2008 compare with VS 2005. Plz provides some practical apprachs. Thanks @@ Happy Coding..HI@@ That's always a difficult question, as it's mixed between what Visual Studio offers and what .NET 3.x frameworks offer. You don't HAVE to have VS2008 to use the new framework, but it has been designed to make it all easier. Are you interested in the actual Visual Studio differences or the framework differences?     http://blogs.msdn.com/...

the Bat! vs. Pegasus vs. Eudora vs. others
Hello, all... the time has finally come for me to roll out a new email client on my company's network. yes, happy days are here... and i've finally convinced the powers that be to allow me to prohibit the use of Outlook and Outlook Express for POP and SMTP at the company where i work. So... i will be in the market for a new email client and i wanted to just toss a few points that i'm thinking about into the newsgroups (follow-ups set to grc.security only) since i know that many of you have already taken these steps in the right direction. The following are condition...

Web resources about - IDing CR vs CRII vs harmless Port 80 - grc.news.feedback

Mostly Harmless - Wikipedia, the free encyclopedia
... when Arthur Dent discovers that the entry for Earth in The Hitchhiker's Guide to the Galaxy consists, in its entirety, of the word "Harmless". ...

Marijuana Gun Accident Harmless? Ad - YouTube
They spent our tax dollars on this advertisement-which has now been surpassed in stupidity by the Dog Talking Ad (see my other videos), but still, ...

Seemingly harmless food that can threaten your pet's life
Seemingly harmless food that can threaten your pet's life

Mobile radio waves harmless, study finds
Mobile phone radio waves are harmless to humans, a group of British researchers have concluded.

Comment: Why conspiracy theories aren’t harmless fun
We’ve just seen another mass shooting in the US. This time it was a church, and race hate was the cause. Other times it’s a school, or a cinema, ...

'Groping' is not a harmless prank or a case of boys being boys
It’s been less than a week since Rolf Harris was sentenced to a prison term of five years and nine months for charges relating to the indecent ...

No more Mr Knives guy: Freddy Krueger is back - and he's pretty harmless
Freddy Krueger, it turns out, is a charming, professorial man of 68 who, when we met, wore a chic navy coat in place of his famously filthy red ...

PM's egg-on-face hunt divides women: poor judgment or harmless fun
A CHARITABLE Easter egg hunt for terminally ill children alongside notorious radio shock jock Kyle Sandilands - who once called a journalist ...

Man accused of child pornography importation claims images 'a harmless custom' in home country
... charged with importing child pornography through Melbourne Airport on his mobile phone has told authorities taking such photographs was a harmless ...

Friends of fugitive gunman shot in B.C. say he was harmless
Friends of a fugitive gunman shot to death by police near the village of Slocan, B.C., are expressing their grief and anger over what they consider ...

Resources last updated: 1/21/2016 1:14:58 PM