Re: new codered worm penetrates content-filtering

From: Ryan Russell (ryanat_private)
Date: Thu Jan 10 2002 - 14:42:32 PST

Next message: Michael H. Warfield: "Re: new codered worm penetrates content-filtering"

Previous message: Ryan Russell: "Re: Re(2): new codered worm penetrates content-filtering"
Maybe in reply to: Chris Russel: "new codered worm penetrates content-filtering"
Next in thread: Nick FitzGerald: "Re: new codered worm penetrates content-filtering"
Reply: Nick FitzGerald: "Re: new codered worm penetrates content-filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OK, I got a sample of one of the CodeReds from Chris Russel that had the
"GET " in one packet, and the rest in subsequent packets.  They are whole
IP packets, so it's not fragmentation.  The actual worm itself is simply
CodeRed.b.  The only other weird thing I've noted is that the PSH flag is
set on the first two packets from the attacker, after the handshake.  I
don't think that's normal.

					Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Michael H. Warfield: "Re: new codered worm penetrates content-filtering"
Previous message: Ryan Russell: "Re: Re(2): new codered worm penetrates content-filtering"
Maybe in reply to: Chris Russel: "new codered worm penetrates content-filtering"
Next in thread: Nick FitzGerald: "Re: new codered worm penetrates content-filtering"
Reply: Nick FitzGerald: "Re: new codered worm penetrates content-filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 15:14:04 PST