Security Incidents mailing list archives
Re: New version of Code Red?
From: "Jim Forster" <jforster () rapidnet com>
Date: Tue, 24 Jul 2001 16:24:53 -0600
Confirmed, this one came across every server in one class C yesterday from the same address. (the hospital here in town, as a matter of fact.. Odd.) 000 : 47 45 54 20 2F 78 2E 69 64 61 3F 41 41 41 41 41 GET /x.ida?AAAAA 010 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 020 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 040 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 050 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 060 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 070 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 080 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 090 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0a0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0b0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0c0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0d0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0e0 : 41 41 41 41 41 41 41 3D 58 20 48 54 54 50 2F 31 AAAAAAA=X HTTP/1 0f0 : 2E 31 0A 48 6F 73 74 3A 20 77 77 77 2E 77 6F 72 .1.Host: www.wor 100 : 6D 2E 63 6F 6D 0D 0A 0D 0A m.com.... ----- Original Message ----- From: "Dean Cunningham" <Dean.Cunningham () ew govt nz> To: <incidents () securityfocus com> Sent: Tuesday, July 24, 2001 4:02 PM Subject: New version of Code Red?
A FYI, I have yet to see anything in my logs. cheers Dean -----Original Message----- From: MVick () mail uttyl edu [mailto:MVick () mail uttyl edu] Sent: Wednesday, 25 July 2001 8:44 AM To: NT System Admin Issues Subject: New version of Code Red? Computer at 172.158.225.228 does the 80 GET /x.ida, followed by AAA... instead of NNN... Then comes back 25 minutes later with 80 GET /iisstart.asp and 80 GET /pagerror.gif 2001-07-23 11:05:32 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /x.ida
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X 200 - 2001-07-23 11:30:06 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /iisstart.asp - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90) 2001-07-23 11:30:08 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /pagerror.gif - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90) And nslookup reports.... C:\>nslookup 172.158.255.228 Server: xxxx.xxxxx.xxx Address: xxx.xxx.xxx.xxx Name: AC9EFFE4.ipt.aol.com Address: 172.158.255.228 Michael Vick *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New version of Code Red? Dean Cunningham (Jul 24)
- Re: New version of Code Red? Jim Forster (Jul 24)
- RE: New version of Code Red? Nick Lehman (Jul 24)
- Re: New version of Code Red? sleonard (Jul 25)