Snort mailing list archives
RE: Problem with Code Red signature
From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 01:10:14 +0300
Hi Graeme! I've checked out the tcpdump format log for these alerts, and it looks like the Code Red worm; it has 'www.worm.com' string etc. Also, the requests are made to servers running Apache, not IIS. Do you have any idea what else could be causing this? Thanks! =) Yours, Jyri
Sometimes I get *only* the "WEB-IIS ISAPI .ida attempt"; the Code Red signature doesn't seem to 'fire' at all.
Well, you could of course be seeing real formulated queries to the
ISAPI
Indexing Service! The original buffer overflow for the ISAPI exploit
hit
servers which left the default IIS indexing service enabled. It's easy
enogh
to switch off, but it's also very widely used to do seraches of local
sites
on that server. That is, after all, what the original service was
intended
to do.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with Code Red signature Jyri Hovila (Aug 05)
- RE: Problem with Code Red signature John Berkers (Aug 06)
- Evasive RST? George D. Nincehelser (Aug 06)
- Re: Evasive RST? Robert van der Meulen (Aug 06)
- Evasive RST? George D. Nincehelser (Aug 06)
- <Possible follow-ups>
- RE: Problem with Code Red signature Graeme Fowler (Aug 05)
- RE: Problem with Code Red signature Jyri Hovila (Aug 05)
- RE: Problem with Code Red signature John Berkers (Aug 06)