Re: CodeRed

From: James T Kirk (Captain_Kirkat_private)
Date: Fri Jul 20 2001 - 10:18:25 PDT

  • Next message: James Edwards: "Jetdirect card Attack???-Final from original poster"

    NFR Security's NID does. It caught the intial .ida attacks and they have
    updated one of their packages to include information on the worm.
    
    On Thu, 19 Jul 2001, Ryan Russell wrote:
    
    > Here's a copy of CodeRed, as captured by my elite honeypot:
    >
    > nc -l -p 80 > c:\gotcha
    >
    > It's in a password protected .zip file, password is "worm" without the
    > quotes.  The zip file is only about 2K, so it shouldn't cause undue stress
    > on anyone's mail server or client.
    >
    > There is a rule available for Snort:
    > http://www.whitehats.com/info/IDS552
    >
    > BlackICE defender spotted this one as "Suspicious URL":
    > 39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17,
    > st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1,
    >
    > And I'm not aware of other IDS' that catch this.  (Though I'd like to be
    > corrected if that's not the case.)
    >
    > 				Ryan
    >
    >
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 12:41:34 PDT