CodeRed

From: Ryan Russell (ryanat_private)
Date: Thu Jul 19 2001 - 14:17:56 PDT

Next message: James Edwards: "Jetdirect card Attack???"

Previous message: Antonio Stano: "Code Red"
Next in thread: Ryan Russell: "Re: CodeRed"
Reply: Fulton L. Preston Jr.: "RE: CodeRed"
Reply: Tulchinskiy, Sasha: "RE: CodeRed"
Reply: James T Kirk: "Re: CodeRed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here's a copy of CodeRed, as captured by my elite honeypot:

nc -l -p 80 > c:\gotcha

It's in a password protected .zip file, password is "worm" without the
quotes.  The zip file is only about 2K, so it shouldn't cause undue stress
on anyone's mail server or client.

There is a rule available for Snort:
http://www.whitehats.com/info/IDS552

BlackICE defender spotted this one as "Suspicious URL":
39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17,
st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1,

And I'm not aware of other IDS' that catch this.  (Though I'd like to be
corrected if that's not the case.)

				Ryan

APPLICATION/ZIP attachment: crsample.zip

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: James Edwards: "Jetdirect card Attack???"
Previous message: Antonio Stano: "Code Red"
Next in thread: Ryan Russell: "Re: CodeRed"
Reply: Fulton L. Preston Jr.: "RE: CodeRed"
Reply: Tulchinskiy, Sasha: "RE: CodeRed"
Reply: James T Kirk: "Re: CodeRed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:27:54 PDT