Security Incidents mailing list archives
Re: "Code Red" worm questions
From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Thu, 19 Jul 2001 03:37:04 +1000
w1re p4ir wrote:
I've read practically everything about this worm that has been released. But there are a few questions that I have. First off, I know the first exploit was written by hsj and it used the offsets for the japanesse version of IIS. Now in this new worm, has the code been modified with US (or other) offsets to attack english versions? I have already had a call regarding a possible "break in attempt." with very little other information. I would like to be able to them either they are vulnerable to this worm or not. Thank you, w1re
The original eEye post about the idq.dll bug contains enough information on how to cause the buffer overflow. It could be quickly put into a perl or similar scripted language for quick tests. (You wont get a C:\> prompt, but if you crash IIS, it's a good indication you'll have no trouble using the appropriate exploit) Personally i think just having idq.dll enabled when it's not needed is a vulnerability, but thats just me.. Regards, Chris. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- "Code Red" worm questions w1re p4ir (Jul 18)
- Re: "Code Red" worm questions Nathan W. Labadie (Jul 18)
- Re: "Code Red" worm questions Chris Keladis (Jul 18)
- RE: "Code Red" worm questions Marc Maiffret (Jul 18)
- RE: "Code Red" worm questions Johannes B. Ullrich (Jul 18)
- RE: "Code Red" worm questions Marc Maiffret (Jul 18)
- RE: "Code Red" worm questions Eric Chien (Jul 19)
- RE: "Code Red" worm questions Johannes B. Ullrich (Jul 18)
- Re: "Code Red" worm questions Brian McWilliams (Jul 18)