Re: Now the kiddiez started playing

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Mon Aug 06 2001 - 22:12:39 PDT

Next message: Guilherme Mesquita: "Re: CodeRedII attempts from Cable/DSL/dial-ups"

Previous message: Alfred Huger: "Code Red II - Dead Thread"
In reply to: Sven Carstens: "Now the kiddiez started playing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sven Carstens <s.carstensat_private> wrote:

> Just sitting here and enjoying my new snort rules.
> Then a packet that reports not the codered variant
> but the plain old .ida access warning.
> 
> The mandatory look into the payload reveals:
>   the next variant
> 
> Only occurance twice from the same ip-adress to the same ip-adress.
> The relatively quick check reveals a dial-up system that claims to use
> an apache server and SuSE-Linux.
<<snip dump>>

The first 0x05b4 bytes are an exact match to the beginning of 
CodeRed.B -- the rest looks like random textual (URL?) garbage and 
almost certainly is just that...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Guilherme Mesquita: "Re: CodeRedII attempts from Cable/DSL/dial-ups"
Previous message: Alfred Huger: "Code Red II - Dead Thread"
In reply to: Sven Carstens: "Now the kiddiez started playing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 09:33:08 PDT