Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CodeRed II Mutants - not

From: Stephen Friedl <friedl () mtndew com>
Date: Fri, 10 Aug 2001 07:50:23 -0700
My iis5.0 (patched) logs show the length of the original CodeRed II worm as 3818.


It's the same Code Red II.

The overall request is usually 3818 bytes, but this is 3379 bytes of payload
plus whatever headers are used:

        GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX....
        Content-type: text/xml
        Content-length: 3379

        {{3379 bytes of binary data here}}

I routinely find other headers too, such as:

        GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX....
        Host: 64.170.162.100
        Connection: keep-alive
        Content-type: text/xml
        Content-length: 3379 
        Via: 1.0 ampere (NetCache NetApp/5.0.1R2)
        X-Forwarded-For: 212.198.146.153

        {{3379 bytes of same binary data here}}

Same great taste, just a bit more filling.

No evidence *whatsoever* of any Code Red II variants.

Steve

--- 
Stephen J Friedl | Software Consultant | Tustin, CA |   +1 714 544-6561
www.unixwiz.net  | I speak for me only |   KA8CMY   | steve () unixwiz net

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: