Re: CodeRed II Mutants - not

[Denis Ducamp <Denis.Ducamp () hsc fr>]

On Fri, Aug 10, 2001 at 07:50:23AM -0700, Stephen Friedl wrote:
> > My iis5.0 (patched) logs show the length of the original CodeRed II worm as 3818.
>
> It's the same Code Red II.
>
> The overall request is usually 3818 bytes, but this is 3379 bytes of payload
> plus whatever headers are used:
>
>       GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX....
>       Content-type: text/xml
>       Content-length: 3379
>
>       {{3379 bytes of binary data here}}
>
> I routinely find other headers too, such as:
>
>       GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX....
>       Host: 64.170.162.100
>       Connection: keep-alive
>       Content-type: text/xml
>       Content-length: 3379 
>       Via: 1.0 ampere (NetCache NetApp/5.0.1R2)
>       X-Forwarded-For: 212.198.146.153
>
>       {{3379 bytes of same binary data here}}

Fun, this comes from a french ISP called noos (mine ;-) .

Additionnal lines are added by some transparent http proxies that we have to
use, no one can choose tu use them or not. Here the real infected system is
212.198.146.153 and the proxy is ampere.noos.net

> Same great taste, just a bit more filling.

Which is more fun is that some transparent proxies at noos break from time
to time the request and the first 124 bytes are missing so the request isn't
valide...

> No evidence *whatsoever* of any Code Red II variants.

none seen here...

Denis Ducamp.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com