At 04:10 PM 8/6/2001, Rodrigo Barbosa wrote: >The point is that i looks like a CodeRed II, but it's missing the >begining of the xploit string. Also, this is a HTTP/1.1 request, while >regular CRII requests are HTTP/1.0. > >I've got these from 2 hosts now. Multiple times from each of these hosts, >and no regular CRII request from any of them. > >Anyone have any idea what this can be ? hm. i got some request that had some bytes missing (1000 or so). as this new worm uses exact the same data it is itself (not obvious: codered used the data received and decoded by iis, like request-url and attack vector) some defect will propagate at once. nevertheless these corrupted versions (eg. bad memory, hard disk (swapped mem) or cpu) won't be able to infect other systems (most of the time). so the point is: why do several hosts appear to have the same corrupted version? cheerz corecode ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:36:39 PDT