Security Incidents mailing list archives
Re: Now the kiddiez started playing
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Tue, 7 Aug 2001 17:12:39 +1200
Sven Carstens <s.carstens () gmx de> wrote:
Just sitting here and enjoying my new snort rules. Then a packet that reports not the codered variant but the plain old .ida access warning. The mandatory look into the payload reveals: the next variant Only occurance twice from the same ip-adress to the same ip-adress. The relatively quick check reveals a dial-up system that claims to use an apache server and SuSE-Linux.
<<snip dump>> The first 0x05b4 bytes are an exact match to the beginning of CodeRed.B -- the rest looks like random textual (URL?) garbage and almost certainly is just that... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Now the kiddiez started playing Sven Carstens (Aug 05)
- Re: Now the kiddiez started playing Sven Carstens (Aug 05)
- Re: Now the kiddiez started playing Nick FitzGerald (Aug 07)
- <Possible follow-ups>
- Re: Now the kiddiez started playing Ric Pa (Aug 05)
- Re: Now the kiddiez started playing Patrick Oonk (Aug 06)
- Re: Now the kiddiez started playing macdaddy (Aug 06)