On Thu, 10 Jan 2002, Chris Russel wrote: > After waiting for a capture of an attack session (I didn't have to wait > long) it seems that the familiar "GET /default.ida*" is now being > delievered with the "GET " in a separate packet which appears designed to > defeat the web content-screening features of routers and packet shapers. > > It's been a while, but I don't recall it being split up like that before - > and I still get some with the "GET" in the same packet so I'm led to > believe there's a new code red variant out there. Can anyone else verify > that this is new behaviour? Not yet. I have some questions, though: Do you have packet traces of one of these? I'm curious as to what they looks like, i.e. are they IP fragments, seperate TCP packets, etc..? Are the ones that have the "GET " seperated otherwise regular Code Red? Have you caught a whole transaction? It occurs that this could potentially be a human attacker that figured out he had to bypass the filter. If they look like Code Red, grabbing one will tell you if it's a variant or not. If you get a packet trace of the whole thing, I can tell you pretty quickly. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 10:38:23 PST