Security Incidents mailing list archives
Re: Code Red II hit in July???
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 14 Aug 2001 13:31:10 -0600 (MDT)
On Mon, 13 Aug 2001, Booke, Raymond wrote:
announced. After patching the box on the 27th of July, we figured that all was well because we had heard nothing of the Code Red II yet. The remnants left behind by the worm are a bit different than the current Code Red II though, the root.exe was on the box in the location the worm puts it, but there was no trojan explorer.exe, and none of the other backdoors were present.
Then it was probably the sadmind worm, or a manual equivalent, not Code Red II.
I have put the log entry below showing the exploit. Has anyone seen anything like this? 2001-07-25 18:30:35 192.172.226.20 - removed for privacy 80 GET /NULL.ida xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=X 200 -
That is someone checking to see if you are vulnerable. It is not long enough to exploit anything, and doesn't match the Code Red signatures (which both use default.ida, not NULL.ida). I think what you have is a box that was compromised prior to July 25th. What are the MAC times on root.exe? Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red II hit in July??? Booke, Raymond (Aug 14)
- Re: Code Red II hit in July??? Ryan Russell (Aug 14)