Security Incidents mailing list archives

Re: Code Red gone to sleep?

From: hvdkooij () vanderkooij org
Date: Fri, 5 Oct 2001 01:29:45 +0200 (CEST)

On Tue, 2 Oct 2001, Jay D. Dyson wrote:

      We were discussing on the Early Bird Developers list that none of
us have seen any Code Red scans since September 30th.


It seems CodeRed isn't dead yet. I just logged an access attempt to
default.ida from a Korean machine that seem to be infected with some
strand.

The server reported on port 80:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 10 Jun 2001 23:22:54 GMT
Connection: Keep-Alive
Content-Length: 1176
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQGQGGCBC=PPDDCKGABGKGDBOKGDOCJELP; path=/
Cache-control: private

I was unable to understand a single character shown on the server.

Hugo.

PS: nimda seems to slow down a little bit.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Code Red gone to sleep? Jay D. Dyson (Oct 02)
- Re: Code Red gone to sleep? Ryan Russell (Oct 02)
- Re: Code Red gone to sleep? Kath (Oct 02)
- Re: Code Red gone to sleep? cambria (Oct 02)
  - Re: Code Red gone to sleep? Andreas Östling (Oct 03)
- Re: Code Red gone to sleep? hvdkooij (Oct 04)
  - Re: Code Red gone to sleep? cambria (Oct 05)