Bugtraq mailing list archives
Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm.
From: Joe Harris <cdi () thewebmasters net>
Date: Thu, 19 Jul 2001 11:30:44 -0700 (PDT)
On Wed, 18 Jul 2001, Marc Maiffret wrote:
The following is a detailed analysis of the "Code Red" .ida worm that we reported on July 17th 2001.
[snip much excellent stuff]
The following is part of the packet data that is sent for this .ida "Code Red" worm attack:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 Just add that to your IDS signature database.
A notable side effect of this.. the worm signature is wreaking havoc with Cisco 675, 677, and 678 DSL routers that have the Web Based Configuration Interface enabled. Ref BugTraq ID # 2012 http://www.securityfocus.com/vdb/bottom.html?vid=2012 Any request which includes a question mark made to the Web Admin Interface on these Cisco devices will cause them to lock up. I mention this only because I work tech-support at an ISP and the phones have been going nuts this morning. Useless trivia - Web server log ida worm signatures seen yesterday: 0 Today the web server (apache) is recording an average of 4 unique IPs attacking the server every hour. This one's gonna be bad. CDI -- The Web Master's Net http://www.thewebmasters.net/ Today's Excuse: filesystem not big enough for Jumbo Kernel Patch
Current thread:
- Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 18)
- Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm. Joe Harris (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Laurence Hand (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Eric Chien (Jul 20)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Pierre Vandevenne (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. JNJ (Jul 20)
- Timely Patching (was: Full analysis of the .ida "Code Red" worm.) Crispin Cowan (Jul 23)
- Re: Mitigating some of the effects of the Code Red worm Vincas Ciziunas (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Johannes B. Ullrich (Jul 19)