SV: The Return of Code Red II?

["Peter Kruse" <kruse () krusesecurity dk>]

Hi,

I can confirm this. I've had several hits since yesterday.

Med venlig hilsen // Kind regards

Peter Kruse
Kruse Security
Email: kruse () krusesecurity dk
http://www.krusesecurity.dk


> -----Oprindelig meddelelse-----
> Fra: Stan Burditzman [mailto:slidefx2 () hotmail com] 
> Sendt: 11. marts 2003 18:24
> Til: incidents () securityfocus com
> Emne: The Return of Code Red II?
>
>
>
> Is anyone else seeing traffic generated by Code Red II.  I 
> thought it wasn't 
> supposed to propagate after 10/01?  Unfortunately I don't 
> have the whole 
> string but here is the RealSecure Event.
>
> Event Name:   HTTP_Code_Red_II
> Date/Time:    2003/03/11 09:32:11
> Source Addr:  211.148.215.243
> Destination Addr:     161.xxx.xxx.xxx
> Protocol Id:  TCP(6)
> URL:  /default.ida
> arg:  
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%
>
>
> _________________________________________________________________
> Tired of spam? Get advanced junk mail protection with MSN 8. 
> http://join.msn.com/?page=features/junkmail
>
>
> --------------------------------------------------------------
> --------------
>
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure";> 
> http://www.securityfocus.com/stillsecure </A>


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>