Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CodeRed

From: James T Kirk <Captain_Kirk () myrealbox com>
Date: Fri, 20 Jul 2001 13:18:25 -0400 (Eastern Daylight Time)

NFR Security's NID does. It caught the intial .ida attacks and they have
updated one of their packages to include information on the worm.

On Thu, 19 Jul 2001, Ryan Russell wrote:


Here's a copy of CodeRed, as captured by my elite honeypot:

nc -l -p 80 > c:\gotcha

It's in a password protected .zip file, password is "worm" without the
quotes.  The zip file is only about 2K, so it shouldn't cause undue stress
on anyone's mail server or client.

There is a rule available for Snort:
http://www.whitehats.com/info/IDS552

BlackICE defender spotted this one as "Suspicious URL":
39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17,
st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1,

And I'm not aware of other IDS' that catch this.  (Though I'd like to be
corrected if that's not the case.)

                              Ryan






----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: