Note that this may simply be a confusion about the word 'packet'. I have interpretted said word to mean a single transmission from one host to another, such that there is a TCP SYN packet, then a TCP SYN,ACK packet, then a TCP ACK packet. Correct me if I'm wrong. > The packet itself appears to be classic CodeRed (II I believe), but > again, we're getting only the second packet. No TCP 3-way, for first > packet. You said 'No TCP 3-way'. Do you mean that the initial GET is incomplete because of a TCP-layer problem? Is there any attempt at all by the remote host to send it? Do you maybe have a firewall which is watching the packets, noticing the first packet is C-R, and then blocking it? Obviously, the C-R detectors that are out there need to be improved, if simply sending the first GET.. Justin Pryzby On Mon, Apr 28, 2003 at 01:13:00PM -0500, Frank Knobbe wrote: > > > As I see it did make it to the list, here an update. > > The reason this packet hasn't been tripping the usual signatures is > simple. We are receiving *only* the second packet. There is no first > packet with GET /default.ida?XXXX etc. > > The packet itself appears to be classic CodeRed (II I believe), but > again, we're getting only the second packet. No TCP 3-way, for first > packet. > > While keeping our eyes on this, the majority appears to be coming from > China, but we do some domestic (USA), Turkey, and I believe a Brazilian. > > I'm curious if anyone else is seeing these second-packet-only CodeReds. > > Regards, > Frank > > > > On Fri, 2003-04-25 at 13:55, Frank Knobbe wrote: ... > > << This is a digitally signed message part >> > > Attached Files: > https://www.msweb.gettysburg.edu/exchange/pryzju01/Inbox/Re:%20New%20CodeRed%20strain_x003F_%20--%20UPDATE.EML/1_multipart/2_signature.asc ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 15:37:33 PDT