Perhaps this is what he was seeing, perhaps not, there is something
different coming out of the AOL address space. It looks like folks at
leat in that address space might well be scanning for infected machines
for some other purpose. The attack signatures are different in that a
single attempt tp 'infect' another machine, rather there are repeated
attempts to hit other servers:
Sep-12-2001 01:41:40 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:41:41 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:41:42 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:41:43 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:41:45 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:41:47 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:41:48 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:41:50 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:41:51 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:41:56 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:42:05 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:42:10 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Sep-12-2001 01:42:08 [EDT] : CR2 : 172.180.53.153 : Notify to
'[EMAIL PROTECTED]'
Please be advised that AOL is NOT the only address space such signature
attacks are coming from:
Sep-09-2001 13:42:31 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:42:39 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:43:37 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:44:14 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:45:54 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:48:46 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:49:36 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:49:47 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:50:42 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:51:43 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:51:51 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:51:54 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:51:55 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:51:57 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:54:21 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:54:29 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
Sep-09-2001 13:59:51 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]'
One mistake we are seeing admins of infected machines taking is they
either merely reboots the server, thinking this rids them of the viri and
cures the problems, or they infact rebuild the system and go no further,
also thinking the issues is fixed in total. We are seeing such systems
either reinfected, or further compromised and striking out at others with
the same attacks again shortly after being put back online. These
NT/win2k admins seem to be totally clueless and unable to properly care
for their systems. Thusly their skills for the jobs that maintain are
doubtful.
Thanks,
Ron DuFresne
On Wed, 12 Sep 2001 [EMAIL PROTECTED] wrote:
> William--
>
> What you've received is a probe by a machine infected with Code Red or
> similar.
>
> The fact that it's from an IP address in AOL's range is just a coincidence.
>
> Whilst it could be one of AOL's own servers that has been infected and is
> trying to spread, it more likely to be one of it's users with an infected
> machine.
>
> All you have to do is make sure that if you're running IIS (server or
> personal version) that you are properly patched.
>
> Russell
>
>
> From: "william.wells" <[EMAIL PROTECTED]>
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Date: Tue, 11 Sep 2001 17:38:05 -0500
> Subject: (no subject)
>
> My PC is loaded with intrusion detection and other types of software.
> For
> the first time, AOL has tripped one of those alarms. The message
> indicated
> that a connection from AOL's system 172.165.224.93
> (ACA5E05D.ipt.aol.com)
> attempted to scan my PC on port 80 with the URL of:
> GET /default.ida?XXXXXXXXX...XXX%u9090%u685......
>
> I've currently got AOL disabled at my firewall as a result. Normally,
> the
> firewall only lets ports 5190 out and only to AOL's systems. The
> implication
> of this is that, once connected to AOL, they allow both inbound and
> outbound
> connections. The system (172.165.224.93) also isn't one of the
> permitted IP
> addresses for which the firewall will allow connections to. A
> traceroute,
> however, clearly showed that the packet when through AOL's adapter
> running
> on Windows.
>
> Comments?
>
>
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
