Re: CodeRedII worm..

From: A.L.Lambert (alambertat_private)
Date: Sun Aug 05 2001 - 16:51:47 PDT

Next message: aleph1at_private: "What use is the NIPC?"

Previous message: Josh Ballard: "RE: CodeRedII - New non-variant codered worm - Analysis."
In reply to: Pluto: "Re: CodeRedII worm.."
Next in thread: Nick FitzGerald: "Re: CodeRedII worm.."
Next in thread: Nick FitzGerald: "Re: CodeRedII worm.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I have seen no checks for root.exe so far. But Nessus already has a
> codered_x.nasl, congrats to this speed!
> 
> # special root.exe from CR2
> alert tcp any any -> any 80 (msg: "CodeRedII root.exe"; flags: A+; content:"root.exe"; depth:624; classtype:attempted-admin;)

	FYI - if you're using the syslog output of snort, and logging to a
separate box for redundancy, that'll cause an infinite loop (msg contains
content field).  I recommend the following:

alert tcp any any -> any 80 (msg: "CodeRedII root exe"; flags: A+; content:"root.exe"; depth:624; classtype:attempted-admin;)

	Cheers!

-- 
Adam Lambert
Chief Technical Officer
ManISec, Inc. - "Managed Internet Security Services"
http://www.manisec.com
mailto:alambertat_private



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: aleph1at_private: "What use is the NIPC?"
Previous message: Josh Ballard: "RE: CodeRedII - New non-variant codered worm - Analysis."
In reply to: Pluto: "Re: CodeRedII worm.."
Next in thread: Nick FitzGerald: "Re: CodeRedII worm.."
Next in thread: Nick FitzGerald: "Re: CodeRedII worm.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 17:10:33 PDT