Security Incidents mailing list archives
Code Red II hit in July???
From: "Booke, Raymond" <Raymond.Booke () Avnet com>
Date: Mon, 13 Aug 2001 16:15:19 -0700
I know we've beat Code Red into the dirt, but I was examining a compromised system that was compromised in July. According to our IIS logs, the Code Red II worm infected this box on July 25, which is a long time before it was announced. After patching the box on the 27th of July, we figured that all was well because we had heard nothing of the Code Red II yet. The remnants left behind by the worm are a bit different than the current Code Red II though, the root.exe was on the box in the location the worm puts it, but there was no trojan explorer.exe, and none of the other backdoors were present. I have put the log entry below showing the exploit. Has anyone seen anything like this? 2001-07-25 18:30:35 192.172.226.20 - removed for privacy 80 GET /NULL.ida xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=X 200 - Raymond Booke MCSE, CCNA, Net+, A+ Perimeter Security Analyst Global Data Security Group raymond.booke () avnet com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red II hit in July??? Booke, Raymond (Aug 14)
- Re: Code Red II hit in July??? Ryan Russell (Aug 14)