Security Incidents mailing list archives
Re: CodeRed II Mutants - not
From: Denis Ducamp <Denis.Ducamp () hsc fr>
Date: Fri, 10 Aug 2001 22:52:40 +0200
On Fri, Aug 10, 2001 at 07:50:23AM -0700, Stephen Friedl wrote:
My iis5.0 (patched) logs show the length of the original CodeRed II worm as 3818.It's the same Code Red II. The overall request is usually 3818 bytes, but this is 3379 bytes of payload plus whatever headers are used: GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX.... Content-type: text/xml Content-length: 3379 {{3379 bytes of binary data here}} I routinely find other headers too, such as: GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX.... Host: 64.170.162.100 Connection: keep-alive Content-type: text/xml Content-length: 3379 Via: 1.0 ampere (NetCache NetApp/5.0.1R2) X-Forwarded-For: 212.198.146.153 {{3379 bytes of same binary data here}}
Fun, this comes from a french ISP called noos (mine ;-) . Additionnal lines are added by some transparent http proxies that we have to use, no one can choose tu use them or not. Here the real infected system is 212.198.146.153 and the proxy is ampere.noos.net
Same great taste, just a bit more filling.
Which is more fun is that some transparent proxies at noos break from time to time the request and the first 124 bytes are missing so the request isn't valide...
No evidence *whatsoever* of any Code Red II variants.
none seen here... Denis Ducamp. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: CodeRed II Mutants - not Stephen Friedl (Aug 10)
- Re: CodeRed II Mutants - not Denis Ducamp (Aug 10)