Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CodeRedII worm..

From: "A.L.Lambert" <alambert () manisec com>
Date: Sun, 5 Aug 2001 18:51:47 -0500 (CDT)
I have seen no checks for root.exe so far. But Nessus already has a
codered_x.nasl, congrats to this speed!

# special root.exe from CR2
alert tcp any any -> any 80 (msg: "CodeRedII root.exe"; flags: A+; content:"root.exe"; depth:624; 
classtype:attempted-admin;)


        FYI - if you're using the syslog output of snort, and logging to a
separate box for redundancy, that'll cause an infinite loop (msg contains
content field).  I recommend the following:

alert tcp any any -> any 80 (msg: "CodeRedII root exe"; flags: A+; content:"root.exe"; depth:624; 
classtype:attempted-admin;)

        Cheers!

-- 
Adam Lambert
Chief Technical Officer
ManISec, Inc. - "Managed Internet Security Services"
http://www.manisec.com
mailto:alambert () manisec com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: