Date: Mon, 6 Aug 2001 10:28:21 +1200 From: rshea@opendoor.co.nz To: questions@FreeBSD.ORG Subject: Code Red 2 - (was : Attempted Buffer Overrun in via httpd? ) Message-ID: <20010805222826.9412F1FA2A9@deborah.paradise.net.nz> In-Reply-To: <E15T5RI-000B0V-00@jdl.com> References: Your message of "Sat, 04 Aug 2001 14:27:37 -0300." <20010804142321.X91592-100000@cactus.fi.uba.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
> > It smells like code red. It is a worm which tries to exploit a vulnerability > > in M$ IIS. > > Ah! Duh. Wait, I'm catching up here... What's the current virus > knocking on everyone's door? Oh yeah, _I_ remember now! Code Red. > Although Code Red is old news (hopefully) to everyone with IIS machines in their network I would just point out that in the last 36 hours a so called Code Red II has arisen (if you look in your logs you'll see that some of the default.ida attempts now have a padding of 'X' rather than 'N'). It has a much nastier effect and rebooting ain't going to fix it. Once again the June 18 IIS patch will avoid infection ... http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp ... and there's a lots of details at ... http://www.eeye.com/html/advisories/coderedII.zip ... for people in charge of a network there's an interesting aspect to the way it generates target IP's. Basically once it gets to a machine close to your IP address you're going to a see a very fast ramp up in traffic. This may explain the discrepancies in sightings which people have mentioned in earlier posts. It certainly corresponds with I've seen here in the last 24 hours. Just another day that I feel grateful for Apache and Unix ! Have a good one. richard shea. ***************************************************** Open Door Ltd PO Box 119-46 Wellington PH 04 384 7639 FX 04 384 7672 ***************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010805222826.9412F1FA2A9>