Snort mailing list archives

RE: Problem with Code Red signature

From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 01:10:14 +0300

Hi Graeme!

I've checked out the tcpdump format log for these alerts, and it looks
like the Code Red worm; it has 'www.worm.com' string etc. Also, the
requests are made to servers running Apache, not IIS.

Do you have any idea what else could be causing this?

Thanks! =)

Yours,

Jyri

Sometimes I get *only* the "WEB-IIS ISAPI .ida attempt";
the Code Red signature doesn't seem to 'fire' at all.

Well, you could of course be seeing real formulated queries to the

ISAPI

Indexing Service! The original buffer overflow for the ISAPI exploit

hit

servers which left the default IIS indexing service enabled. It's easy

enogh

to switch off, but it's also very widely used to do seraches of local

sites

on that server. That is, after all, what the original service was

intended

to do.




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problem with Code Red signature Jyri Hovila (Aug 05)
- RE: Problem with Code Red signature John Berkers (Aug 06)
  - Evasive RST? George D. Nincehelser (Aug 06)
    - Re: Evasive RST? Robert van der Meulen (Aug 06)
- <Possible follow-ups>
- RE: Problem with Code Red signature Graeme Fowler (Aug 05)
  - RE: Problem with Code Red signature Jyri Hovila (Aug 05)