From owner-freebsd-security Thu Aug 9 4:25:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from aristotle.tamu.edu (Aristotle.tamu.edu [165.91.161.90]) by hub.freebsd.org (Postfix) with ESMTP id 8DB0937B403 for ; Thu, 9 Aug 2001 04:25:27 -0700 (PDT) (envelope-from rasmith@aristotle.tamu.edu) Received: from aristotle.tamu.edu (IDENT:rasmith@localhost [127.0.0.1]) by aristotle.tamu.edu (8.9.3/8.8.7) with ESMTP id GAA29210; Thu, 9 Aug 2001 06:25:25 -0500 Message-Id: <200108091125.GAA29210@aristotle.tamu.edu> To: freebsd-security@FreeBSD.ORG Cc: "Nickolay A.Kritsky" Subject: Re: Re[2]: should I concerned? In-Reply-To: Message from Claude Buisson of "Thu, 09 Aug 2001 12:35:21 +0200." <20010809123052.U4026-100000@eve.framatome.fr> Mime-Version: 1.0 (generated by tm-edit 7.106) Content-Type: text/plain; charset=US-ASCII Date: Thu, 09 Aug 2001 06:25:25 -0500 From: Robin Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Claude" == Claude Buisson writes: Claude> I have seen a few of these starting from August 6, amidst Claude> a flow of "standard" GET /default.ida?NNNNNNNN... and GET Claude> /default.ida?XXXXXXX... Is Code Red II bugged ? My httpd access log is full of "GET /default/ida?XXX....", which is evidently the Code Red II signature; haven't seen very many Code Red I hits in the last few days (but Code Red II seems to hit us with much greaterfrequency). The "NNN.." and "XXX..." strings are just filler to overflow a buffer; the payload (and the real signature of the worm) is the bit of code at the end, which is object code encoded in hex ("%u" and four digits). Compare these and you'll see they are the same. But it's so much easier to type "grep NNNN /var/log/..." :=) Robin Smith To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message