Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm.

[Joe Harris <cdi () thewebmasters net>]

On Wed, 18 Jul 2001, Marc Maiffret wrote:

> The following is a detailed analysis of the "Code Red" .ida worm that we
> reported on July 17th 2001.

[snip much excellent stuff]

> The following is part of the packet data that is sent for this .ida "Code
> Red" worm attack:

> GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0
> Just add that to your IDS signature database.

A notable side effect of this.. the worm signature is wreaking havoc with
Cisco 675, 677, and 678 DSL routers that have the Web Based Configuration
Interface enabled.

  Ref BugTraq ID # 2012
  http://www.securityfocus.com/vdb/bottom.html?vid=2012

Any request which includes a question mark made to the Web Admin Interface
on these Cisco devices will cause them to lock up. I mention this only
because I work tech-support at an ISP and the phones have been going nuts
this morning.

Useless trivia -
Web server log ida worm signatures seen yesterday: 0
Today the web server (apache) is recording an average of 4 unique IPs
attacking the server every hour.

This one's gonna be bad.

CDI
-- 
The Web Master's Net
http://www.thewebmasters.net/
Today's Excuse:
filesystem not big enough for Jumbo Kernel Patch