I have two different webservers, each of which has been logging infrequent attempts from the Code Red worm to attack it (each box has so far received around 20 such attacks since 18/07/01). Both are immune to it (one has been patched, and the other has the .ida mapping removed). The two servers are using completely different addresses on completely different subnets. Comparing the logfiles for each server, it is clear that no single IP address has attacked both servers. If the only "wild" version of Code Red effectively has a hard-coded sequence of addresses to attack (due to the fixed randomisation seed), one server must necessarily be attacked before the other. Therefore, it would follow that both logs should contain the same IP Addresses, with some time difference between them (unless one or other server has had downtime, which they have not). This is not the case. The only conclusion is that there is another version of the "Code Red" worm in the wild, which has a correct randomisation routine (and possibly other differences). The GET request logged by the second worm variant is as follows: GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a Firstly, can someone confirm whether this is the same as the GET request logged by the hard-coded worm? Secondly, can someone capture a copy of this second variant and dis-assemble it? I intend to add egress filters to one of my servers and allow it to become infected; if anyone wants to volunteer to help me pick it apart afterwards it would be appreciated. Chris -- Chris Paget mad.nutterat_private In the battle of Linux Vs Microsoft, remember this: It's hard to not engage in holy wars when everybody knows everything.
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 11:05:43 PDT