I have seen an enormous number of CodeRed hits lately, and yes - many of them are prefaced with an empty HTTP request. I've been wondering the same thing -- has anyone heard of a scheduled resurgence? -----Original Message----- From: Chris Russel [mailto:russelat_private] Sent: Thursday, January 10, 2002 10:14 AM To: incidentsat_private Subject: new codered worm penetrates content-filtering For a long time I havn't seen codered since we've been using content-screening at the router for blocking the attacks, but suddenly they are showing up again on my IDS. So I was wondering how it is that now they are getting through the content-screening. After waiting for a capture of an attack session (I didn't have to wait long) it seems that the familiar "GET /default.ida*" is now being delievered with the "GET " in a separate packet which appears designed to defeat the web content-screening features of routers and packet shapers. It's been a while, but I don't recall it being split up like that before - and I still get some with the "GET" in the same packet so I'm led to believe there's a new code red variant out there. Can anyone else verify that this is new behaviour? -- Chris Russel | CNS Information Security russelat_private | York University, Toronto, Canada ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 10:58:19 PST