RE: "Code Red" worm questions

From: Johannes B. Ullrich (jullrichat_private)
Date: Wed Jul 18 2001 - 12:10:48 PDT

  • Next message: Dug Song: "Re: streams of fragments..."

    I just checked a number of the potential 'Red Alert' victims I got at
    DShield.org. None of them appear to be defaced. Are there multiple
    variations? Is there a special url that's used for the defaced page?
    
    
    On Wed, 18 Jul 2001, Marc Maiffret wrote:
    
    > It has a jump location that works on all win2k sp versions (have only tested
    > English, but from other research we think the worm only tries to attack
    > English anyways). NT4 it just looks to crash it but we are not done with
    > testing yet.
    >
    > It works very well and uses a lot of the new overflow techniques which allow
    > it to execute code more often then crashing IIS web servers.
    >
    > Signed,
    > Marc Maiffret
    > Chief Hacking Officer
    > eEye Digital Security
    > T.949.349.9062
    > F.949.349.9538
    > http://eEye.com/Retina - Network Security Scanner
    > http://eEye.com/Iris - Network Traffic Analyzer
    > http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
    >
    > |-----Original Message-----
    > |From: w1re p4ir [mailto:w1rep4irat_private]
    > |Sent: Wednesday, July 18, 2001 8:44 AM
    > |To: incidentsat_private
    > |Subject: "Code Red" worm questions
    > |
    > |
    > |I've read practically everything about this worm that has been
    > |released. But there are a few questions that I have. First off, I
    > |know the first exploit was written by hsj and it used the offsets
    > |for the japanesse version of IIS. Now in this new worm, has the
    > |code been modified with US (or other) offsets to attack english
    > |versions? I have already had a call regarding a possible "break in
    > |attempt." with very little other information. I would like to be
    > |able to them either they are vulnerable to this worm or not. Thank you,
    > |w1re
    > |
    > |____________________________________________________
    > |FREE Disinformation E-book - http://www.disinfo.com
    > |
    > |
    > |-------------------------------------------------------------------
    > |---------
    > |
    > |
    > |This list is provided by the SecurityFocus ARIS analyzer service.
    > |For more information on this free incident handling, management
    > |and tracking system please see:
    > |
    > |http://aris.securityfocus.com
    > |
    > |
    >
    >
    >
    > ----------------------------------------------------------------------------
    >
    >
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see:
    >
    > http://aris.securityfocus.com
    >
    
    -- 
    -------
    jullrichat_private                    Join http://www.DShield.org
                                         Distributed Intrusion Detection System
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 13:48:59 PDT