Security Incidents mailing list archives
Re: CodeRedII worm..
From: "A.L.Lambert" <alambert () manisec com>
Date: Sun, 5 Aug 2001 18:51:47 -0500 (CDT)
I have seen no checks for root.exe so far. But Nessus already has a codered_x.nasl, congrats to this speed! # special root.exe from CR2 alert tcp any any -> any 80 (msg: "CodeRedII root.exe"; flags: A+; content:"root.exe"; depth:624; classtype:attempted-admin;)
FYI - if you're using the syslog output of snort, and logging to a separate box for redundancy, that'll cause an infinite loop (msg contains content field). I recommend the following: alert tcp any any -> any 80 (msg: "CodeRedII root exe"; flags: A+; content:"root.exe"; depth:624; classtype:attempted-admin;) Cheers! -- Adam Lambert Chief Technical Officer ManISec, Inc. - "Managed Internet Security Services" http://www.manisec.com mailto:alambert () manisec com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- CodeRedII worm.. Valdis . Kletnieks (Aug 05)
- Re: CodeRedII worm.. Pluto (Aug 05)
- Re: CodeRedII worm.. A.L.Lambert (Aug 05)
- Re: CodeRedII worm.. Nick FitzGerald (Aug 06)
- Re: CodeRedII worm.. Nick FitzGerald (Aug 06)
- Re: CodeRedII worm.. Emory Wood (Aug 06)
- Re: CodeRedII worm.. Pluto (Aug 05)