Security Incidents mailing list archives
Re: What if CodeRed encoded it's HTTP requests?
From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Mon, 20 Aug 2001 11:39:40 -0400 (EDT)
On Mon, 20 Aug 2001, Nuno Mendes wrote:
I was just checking how many CodeRed I and II attempts I had on my Linux based Apache server, and figuring out what if a new version of the worm encoded 'degault.ida' in hexadecimal? Or even the data that causes the buffer overflow?
check out whisker and ADMmutate, both of which use encoding to obfuscate the strings they send. they help kill signature based IDS work. and more than hex, unicode, with even more possibilities. http://www.wiretrip.net/rfp/ http://ktwo.ca/ ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- What if CodeRed encoded it's HTTP requests? Nuno Mendes (Aug 20)
- Re: What if CodeRed encoded it's HTTP requests? Ryan Russell (Aug 20)
- Re: What if CodeRed encoded it's HTTP requests? Jose Nazario (Aug 20)