Sven Carstens <s.carstensat_private> wrote: > Just sitting here and enjoying my new snort rules. > Then a packet that reports not the codered variant > but the plain old .ida access warning. > > The mandatory look into the payload reveals: > the next variant > > Only occurance twice from the same ip-adress to the same ip-adress. > The relatively quick check reveals a dial-up system that claims to use > an apache server and SuSE-Linux. <<snip dump>> The first 0x05b4 bytes are an exact match to the beginning of CodeRed.B -- the rest looks like random textual (URL?) garbage and almost certainly is just that... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 09:33:08 PDT