RE: CodeRed

From: Tulchinskiy, Sasha (STulchinskiyat_private)
Date: Fri Jul 20 2001 - 06:45:24 PDT

  • Next message: E. Larry Lidz: "Re: .ida Intrusion Attempt"

    BlackICE Agent for Servers reports it to ICECap console as
    Issue 2002608 "ISAPI extension overflow"
    
    Sasha. 
    
    -----Original Message-----
    From: Ryan Russell [mailto:ryanat_private]
    Sent: Thursday, July 19, 2001 5:18 PM
    To: incidentsat_private
    Subject: CodeRed 
    
    
    Here's a copy of CodeRed, as captured by my elite honeypot:
    
    nc -l -p 80 > c:\gotcha
    
    It's in a password protected .zip file, password is "worm" without the
    quotes.  The zip file is only about 2K, so it shouldn't cause undue stress
    on anyone's mail server or client.
    
    There is a rule available for Snort:
    http://www.whitehats.com/info/IDS552
    
    BlackICE defender spotted this one as "Suspicious URL":
    39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17,
    st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1,
    
    And I'm not aware of other IDS' that catch this.  (Though I'd like to be
    corrected if that's not the case.)
    
    				Ryan
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 09:50:41 PDT