Security Incidents mailing list archives
Re: new codered worm penetrates content-filtering
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 10 Jan 2002 11:11:00 -0700 (MST)
On Thu, 10 Jan 2002, Chris Russel wrote:
After waiting for a capture of an attack session (I didn't have to wait long) it seems that the familiar "GET /default.ida*" is now being delievered with the "GET " in a separate packet which appears designed to defeat the web content-screening features of routers and packet shapers. It's been a while, but I don't recall it being split up like that before - and I still get some with the "GET" in the same packet so I'm led to believe there's a new code red variant out there. Can anyone else verify that this is new behaviour?
Not yet. I have some questions, though: Do you have packet traces of one of these? I'm curious as to what they looks like, i.e. are they IP fragments, seperate TCP packets, etc..? Are the ones that have the "GET " seperated otherwise regular Code Red? Have you caught a whole transaction? It occurs that this could potentially be a human attacker that figured out he had to bypass the filter. If they look like Code Red, grabbing one will tell you if it's a variant or not. If you get a packet trace of the whole thing, I can tell you pretty quickly. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new codered worm penetrates content-filtering Chris Russel (Jan 10)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 10)
- Re: new codered worm penetrates content-filtering Chris Russel (Jan 10)
- Re: new codered worm penetrates content-filtering Michael H. Warfield (Jan 10)
- <Possible follow-ups>
- RE: new codered worm penetrates content-filtering Shackleford, Dave (Jan 10)
- RE: new codered worm penetrates content-filtering Robert Gile @Agoura (Jan 10)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 10)
- Re: new codered worm penetrates content-filtering Nick FitzGerald (Jan 11)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 11)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 11)
- Re: new codered worm penetrates content-filtering Nick FitzGerald (Jan 11)