Security Incidents mailing list archives

Re: The Return of Code Red II?

From: "David C. Lewis" <dave () rootshellsecurity ca>
Date: Tue, 11 Mar 2003 14:24:46 -0500

Stan,

I'm seeing this activity increasing on 2 of my internet facing networks right 
now. Has anyone captured a copy of this iteration? Just curious if this is a 
new verion?

cheers,
Dave

==========================
David C. Lewis, CISSP
Root Shell Security Canada
==========================

----- Original Message ----- 
From: "Stan Burditzman" <slidefx2 () hotmail com>
To: <incidents () securityfocus com>
Sent: Tuesday, March 11, 2003 12:24 PM
Subject: The Return of Code Red II?


Is anyone else seeing traffic generated by Code Red II.  I thought it wasn't 
supposed to propagate after 10/01?  Unfortunately I don't have the whole 
string but here is the RealSecure Event.

Event Name: HTTP_Code_Red_II
Date/Time: 2003/03/11 09:32:11
Source Addr: 211.148.215.243
Destination Addr: 161.xxx.xxx.xxx
Protocol Id: TCP(6)
URL: /default.ida
arg:

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%
ucbd3%u7801%



----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

The Return of Code Red II? Stan Burditzman (Mar 11)
- Re: The Return of Code Red II? Jay D. Dyson (Mar 11)
- SV: The Return of Code Red II? Peter Kruse (Mar 11)
- Re: The Return of Code Red II? Christine Kronberg (Mar 12)
- <Possible follow-ups>
- Re: The Return of Code Red II? David C. Lewis (Mar 11)
- Re: The Return of Code Red II? Kevin Patz (Mar 11)
- Re: The Return of Code Red II? Roger Thompson (Mar 11)