On Wed, 18 Jul 2001, Marc Maiffret wrote: > > The following is a detailed analysis of the "Code Red" .ida worm that we > reported on July 17th 2001. [snip much excellent stuff] > The following is part of the packet data that is sent for this .ida "Code > Red" worm attack: > GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0 > Just add that to your IDS signature database. A notable side effect of this.. the worm signature is wreaking havoc with Cisco 675, 677, and 678 DSL routers that have the Web Based Configuration Interface enabled. Ref BugTraq ID # 2012 http://www.securityfocus.com/vdb/bottom.html?vid=2012 Any request which includes a question mark made to the Web Admin Interface on these Cisco devices will cause them to lock up. I mention this only because I work tech-support at an ISP and the phones have been going nuts this morning. Useless trivia - Web server log ida worm signatures seen yesterday: 0 Today the web server (apache) is recording an average of 4 unique IPs attacking the server every hour. This one's gonna be bad. CDI -- The Web Master's Net http://www.thewebmasters.net/ Today's Excuse: filesystem not big enough for Jumbo Kernel Patch
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 12:10:44 PDT