Security Incidents mailing list archives

Re: What if CodeRed encoded it's HTTP requests?

From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 20 Aug 2001 09:52:51 -0600 (MDT)

On Mon, 20 Aug 2001, Nuno Mendes wrote:

I was just checking how many CodeRed I and II attempts I had on my Linux
based Apache server, and figuring out what if a new version of the worm
encoded 'degault.ida' in hexadecimal? Or even the data that causes the
buffer overflow?


Not that the word "default" is arbitrary.  You can change it to whatever
else you want.


It seems a lot of tools are based on 'default.ida' string.... aren't they?


I've only looked closely at the Snort rule, which says (if I remember
correctly) .ida? (or .idq?) anywhere in the request, and the request is >
259 characters.

Now, if you do some games with the .ida part... Well, I believe Snort has
a HTTP encoding decoder... don't know how effective it is.

                                                Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

What if CodeRed encoded it's HTTP requests? Nuno Mendes (Aug 20)
- Re: What if CodeRed encoded it's HTTP requests? Ryan Russell (Aug 20)
- Re: What if CodeRed encoded it's HTTP requests? Jose Nazario (Aug 20)