I just checked a number of the potential 'Red Alert' victims I got at DShield.org. None of them appear to be defaced. Are there multiple variations? Is there a special url that's used for the defaced page? On Wed, 18 Jul 2001, Marc Maiffret wrote: > It has a jump location that works on all win2k sp versions (have only tested > English, but from other research we think the worm only tries to attack > English anyways). NT4 it just looks to crash it but we are not done with > testing yet. > > It works very well and uses a lot of the new overflow techniques which allow > it to execute code more often then crashing IIS web servers. > > Signed, > Marc Maiffret > Chief Hacking Officer > eEye Digital Security > T.949.349.9062 > F.949.349.9538 > http://eEye.com/Retina - Network Security Scanner > http://eEye.com/Iris - Network Traffic Analyzer > http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities > > |-----Original Message----- > |From: w1re p4ir [mailto:w1rep4irat_private] > |Sent: Wednesday, July 18, 2001 8:44 AM > |To: incidentsat_private > |Subject: "Code Red" worm questions > | > | > |I've read practically everything about this worm that has been > |released. But there are a few questions that I have. First off, I > |know the first exploit was written by hsj and it used the offsets > |for the japanesse version of IIS. Now in this new worm, has the > |code been modified with US (or other) offsets to attack english > |versions? I have already had a call regarding a possible "break in > |attempt." with very little other information. I would like to be > |able to them either they are vulnerable to this worm or not. Thank you, > |w1re > | > |____________________________________________________ > |FREE Disinformation E-book - http://www.disinfo.com > | > | > |------------------------------------------------------------------- > |--------- > | > | > |This list is provided by the SecurityFocus ARIS analyzer service. > |For more information on this free incident handling, management > |and tracking system please see: > | > |http://aris.securityfocus.com > | > | > > > > ---------------------------------------------------------------------------- > > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > -- ------- jullrichat_private Join http://www.DShield.org Distributed Intrusion Detection System ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 13:48:59 PDT