I know we've beat Code Red into the dirt, but I was examining a compromised system that was compromised in July. According to our IIS logs, the Code Red II worm infected this box on July 25, which is a long time before it was announced. After patching the box on the 27th of July, we figured that all was well because we had heard nothing of the Code Red II yet. The remnants left behind by the worm are a bit different than the current Code Red II though, the root.exe was on the box in the location the worm puts it, but there was no trojan explorer.exe, and none of the other backdoors were present. I have put the log entry below showing the exploit. Has anyone seen anything like this? 2001-07-25 18:30:35 192.172.226.20 - removed for privacy 80 GET /NULL.ida xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=X 200 - Raymond Booke MCSE, CCNA, Net+, A+ Perimeter Security Analyst Global Data Security Group raymond.bookeat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 10:57:53 PDT