> My iis5.0 (patched) logs show the length of the original CodeRed II worm as 3818. It's the same Code Red II. The overall request is usually 3818 bytes, but this is 3379 bytes of payload plus whatever headers are used: GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX.... Content-type: text/xml Content-length: 3379 {{3379 bytes of binary data here}} I routinely find other headers too, such as: GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX.... Host: 64.170.162.100 Connection: keep-alive Content-type: text/xml Content-length: 3379 Via: 1.0 ampere (NetCache NetApp/5.0.1R2) X-Forwarded-For: 212.198.146.153 {{3379 bytes of same binary data here}} Same great taste, just a bit more filling. No evidence *whatsoever* of any Code Red II variants. Steve --- Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561 www.unixwiz.net | I speak for me only | KA8CMY | steveat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 12:57:07 PDT