Date: Thu, 9 Aug 2001 13:37:13 +0200 (CEST) From: Claude Buisson <ubc@paris.framatome.fr> To: Robin Smith <rasmith@aristotle.tamu.edu> Cc: <freebsd-security@FreeBSD.ORG>, "Nickolay A.Kritsky" <nkritsky@internethelp.ru> Subject: Re: Re[2]: should I concerned? Message-ID: <20010809133535.I4371-100000@eve.framatome.fr> In-Reply-To: <200108091125.GAA29210@aristotle.tamu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 9 Aug 2001, Robin Smith wrote:
>
> >>>>> "Claude" == Claude Buisson <ubc@paris.framatome.fr> writes:
>
>
> Claude> I have seen a few of these starting from August 6, amidst
> Claude> a flow of "standard" GET /default.ida?NNNNNNNN... and GET
> Claude> /default.ida?XXXXXXX... Is Code Red II bugged ?
>
> My httpd access log is full of "GET /default/ida?XXX....", which is
> evidently the Code Red II signature; haven't seen very many Code Red I
> hits in the last few days (but Code Red II seems to hit us with much
> greaterfrequency).
>
> The "NNN.." and "XXX..." strings are just filler to overflow a buffer;
> the payload (and the real signature of the worm) is the bit of code at
> the end, which is object code encoded in hex ("%u" and four digits).
> Compare these and you'll see they are the same. But it's so much easier
> to type "grep NNNN /var/log/..." :=)
This is already well known, the question is:
why the "GET /default.ida?" is missing is some attempts ?
>
> Robin Smith
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
Claude Buisson
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010809133535.I4371-100000>