Snort mailing list archives
Re: Where to get " code red worm source" ?
From: Phil Wood <cpw () lanl gov>
Date: Thu, 30 Aug 2001 11:29:39 -0600
Mel, It was not an email virus. If you were to pipe it to nc (netcat) on tcp/80 to a Microsoft web server running whatever IIS web software that is vulnerable to codered II, that web server would be infected. I believe that just about all of the vulnerable systems in the Universe are infected at this time. I've been hit by 500,000 different systems in the past two weeks, as you probably read in a previous message. Our systems aren't vulnerable. However, the web proxy dutifully responded to the millions of codered II messages, and still is at this very instant. I captured the http request and sent that as an attachment to the snort-list. Various anti-virus software applications sensed the malignancy, and prevented the attachment and possibly the entire mail message from being received by snort users. I've learned some things from this. In particular, when I send something like this again, it will be only readable on unix like systems, or systems with openssl capability. Another thing I learned is what kind of anti-virus software I might want to buy. No single AV application caught all 5 encapsulations that I sent. But, some did get 4 of the 5. But, that's for a later message. I wasn't worried about sending this. I was surprised that the virus software considered the attachment as a virus, since it is not executable. However, this is what we see all the time in the snort world, false positives. A better diagnosis would have been some verbage to the effect that the patterns that triggered the event were most likely from malicous code, but that opening the attachment would have just yielded a non executable file. On Thu, Aug 30, 2001 at 09:47:26AM -0700, Mel Chandler PMI wrote:
I can't believe you sent a virus to the group. OMG Mel L. Chandler, A+, Network+, MCNE, MCDBA, MCSE+I, CCNA MChandler () PMI Delta org Network Analyst Information Services PMI Delta Dental (562) 467-6627 -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Wednesday, August 29, 2001 4:18 PM To: Phil Wood; ls1100; snort-users () lists sourceforge net Subject: Re: [Snort-users] Where to get " code red worm source" ? Second try. I be a glutton for punishment. This will be the contents of each attachment: % ls -l CR total 8 -rw-r--r-- 1 nobody nogroup 5336 Aug 29 16:49 cr There are 4 different files attached: -rw-r--r-- 1 nobody nogroup 2644 Aug 29 17:05 CR.bz2 -rw-r--r-- 1 nobody nogroup 2190 Aug 29 17:06 CR.tgz -rw-r--r-- 1 nobody nogroup 7376 Aug 29 17:07 CR.uue -rw-r--r-- 1 nobody nogroup 2175 Aug 29 17:06 CR.zip I guess zip wins in the storage department. (in case you didn't see the fall out from my first attempt, 'cr' is the http payload that comprises codeRed II. Sending as cr.bin was a bad or good idea depending on your frame of mind. Only time will tell with this post. Also, contrary to some of the virus notices, as far as I know, this is not an executable piece of code. It will only cause a problem if passed through an http server running some bogus IIS product.) What a great day. -- Phil Wood, cpw () lanl gov
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Where to get " code red worm source" ? ls1100 (Aug 28)
- Re: Where to get " code red worm source" ? Phil Wood (Aug 29)
- Re: Where to get " code red worm source" ? Daniel Monjar (Aug 29)
- Re: Where to get " code red worm source" ? Phil Wood (Aug 29)
- Re: Where to get " code red worm source" ? Daniel Monjar (Aug 29)
- <Possible follow-ups>
- FW: Where to get " code red worm source" ? Martin O'Reilly (Aug 29)
- RE: Where to get " code red worm source" ? Mel Chandler PMI (Aug 30)
- Re: Where to get " code red worm source" ? Olaf Schreck (Aug 30)
- Re: Where to get " code red worm source" ? Phil Wood (Aug 30)
- Re: Where to get " code red worm source" ? Ryan Russell (Aug 30)
- Message not available
- Re: hi ^^ I have question ^^ Phil Wood (Aug 31)
- Re: Where to get " code red worm source" ? Phil Wood (Aug 29)