Code Red II hit in July???

["Booke, Raymond" <Raymond.Booke () Avnet com>]

I know we've beat Code Red into the dirt, but I was examining a compromised
system that was compromised in July.  According to our IIS logs, the Code
Red II worm infected this box on July 25, which is a long time before it was
announced.  After patching the box on the 27th of July, we figured that all
was well because we had heard nothing of the Code Red II yet.  The remnants
left behind by the worm are a bit different than the current Code Red II
though, the root.exe was on the box in the location the worm puts it, but
there was no trojan explorer.exe, and none of the other backdoors were
present.  I have put the log entry below showing the exploit.  Has anyone
seen anything like this?

2001-07-25 18:30:35 192.172.226.20 - removed for privacy 80 GET /NULL.ida
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=X 200 -

Raymond Booke MCSE, CCNA, Net+, A+
Perimeter Security Analyst
Global Data Security Group
raymond.booke () avnet com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com