Pluto <plutoat_private> wrote: > On Sun, Aug 05, 2001 at 04:38:55AM -0400, Valdis.Kletnieksat_private wrote: > > (Sorry for the cross-posting) > > > > Given that initial analysis of the CodeRedII worm indicates that it leaves > > a backdoor laying around, I hereby request that those people who made > > lists of infected hosts available last time *NOT* do so again. I wholeheartedly support Valdis' request in this matter (and made the same request in private to the incidents list moderator). > I have seen no checks for root.exe so far. But Nessus already has a > codered_x.nasl, congrats to this speed! > > # special root.exe from CR2 > alert tcp any any -> any 80 (msg: "CodeRedII root.exe"; flags: A+; content:"root.exe"; depth:624; classtype:attempted-admin;) Not wishing to be offensive (I know -- some will say it's my nature and unavoidable) but such a signature shows an entirely clue-devoid understanding of the real nature of the backdooring that CoreRed.C (or whatever you want to call it does). I know this is a full-disclosure list, but I will not publicly release for the delight of the dipshit kiddies how to circumvent such inadequate IDS rules. (This is not an attack against Nessus and its makers -- I'm sure many (if not all) other IDS makers/maintainers have added similar, and similarly flawed, rules for just this issue in the lasty 12 hours or so. If you verifiably work for or an IDS vendor or maintain a freeware/open-source/etc IDS and do not understand the utter inadequacy of such a simplistic rule, feel free to contact me for the details (there may not be anything you can do to "fix" this without getting horrendous false positive rates but at least I can safely explain to you why the above is grossly inadequate.) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:39:42 PDT