Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CodeRedII worm..

From: Pluto <pluto () stderr de>
Date: Sun, 5 Aug 2001 20:23:51 +0200
On Sun, Aug 05, 2001 at 04:38:55AM -0400, Valdis.Kletnieks () vt edu wrote:

(Sorry for the cross-posting)

Given that initial analysis of the CodeRedII worm indicates that it leaves
a backdoor laying around, I hereby request that those people who made
lists of infected hosts available last time *NOT* do so again.


I have seen no checks for root.exe so far. But Nessus already has a
codered_x.nasl, congrats to this speed!

# special root.exe from CR2
alert tcp any any -> any 80 (msg: "CodeRedII root.exe"; flags: A+; content:"root.exe"; depth:624; 
classtype:attempted-admin;)


  Gruss

-- 
  Pluto   -   SysAdmin of Hades
  Free information! Freedom through knowledge. Wisdom for all!! =:-)
  PGP 1024/7261AACD 1996/09/10 1F3F EA94 D056 A686  4D19 C456 6CF9 4344
  Phone: +49-173-4814739  eCash(DB): 129429938818  Q3T: js-Pluto

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: