Re: CodeRed II Mutants - not

From: Stephen Friedl (friedlat_private)
Date: Fri Aug 10 2001 - 07:50:23 PDT

Next message: Steve Halligan: "What the *** is this"

Previous message: John Sage: "Re: Personal stats on comp.glam.ac.uk traffic"
Next in thread: Denis Ducamp: "Re: CodeRed II Mutants - not"
Reply: Denis Ducamp: "Re: CodeRed II Mutants - not"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> My iis5.0 (patched) logs show the length of the original CodeRed II worm as 3818.

It's the same Code Red II.

The overall request is usually 3818 bytes, but this is 3379 bytes of payload
plus whatever headers are used:

	GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX....
	Content-type: text/xml
	Content-length: 3379

	{{3379 bytes of binary data here}}

I routinely find other headers too, such as:

	GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX....
	Host: 64.170.162.100
	Connection: keep-alive
	Content-type: text/xml
	Content-length: 3379 
	Via: 1.0 ampere (NetCache NetApp/5.0.1R2)
	X-Forwarded-For: 212.198.146.153

	{{3379 bytes of same binary data here}}

Same great taste, just a bit more filling.

No evidence *whatsoever* of any Code Red II variants.

Steve

--- 
Stephen J Friedl | Software Consultant | Tustin, CA |   +1 714 544-6561
www.unixwiz.net  | I speak for me only |   KA8CMY   | steveat_private

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Steve Halligan: "What the *** is this"
Previous message: John Sage: "Re: Personal stats on comp.glam.ac.uk traffic"
Next in thread: Denis Ducamp: "Re: CodeRed II Mutants - not"
Reply: Denis Ducamp: "Re: CodeRed II Mutants - not"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 12:57:07 PDT