78
Forensics in the Real World:
Code Red II
•     You notice that your Web pages are defaced or an increase in network load on servers
•
•Monitor your network
–Notice infected machines scanning for new machines. Keep NW logs!
•Follow source IP addresses of scanners
–Resolve IP to names and locations - they all seem to be Web servers
•Monitor your Web servers and logs
–Unrecognized processes, very high thread count
–Many suspicious requests to index server – looks like Code Red or Code Red II
•Find what is infected or vulnerable
–Use worm scanners
•Take appropriate measures to stop the spread or repair infected hosts
–Clean infected machines, apply patches to the IIS
Once the IP addresses of infected or vulnerable hosts have been identified, the host names must be resolved to the IP address.  Also, the ports and physical locations of the hosts must be identified. If the infected machine is a production machine with a static IP address, chances are that you know where to find it. If it is a laptop and gets its IP address dynamically it can be considerably more difficult to find it or the owner. Use company network information to assist with locating the infected machines

If it is not a production machine, you may not have rights to the machine. NBTSTAT can find the machine name given an IP address. DNS lookups can gather machine names for you as well as the wins database and the DHCP database. Doing name lookups manually is effective only in small outbreaks. If you have hundreds of machines involved this task becomes time consuming and error prone if done manually. Here too, any documented network information may help significantly.

Find what is infected or vulnerable  - with Code Red II, signatures were known and tools were available that could be run to determine if a system was infected and vulnerable. Various antivirus companies offer tools that can identify Code Red/II infected machines.