Date: Thu, 9 Aug 2001 07:54:38 -0400 From: Chris Faulhaber <jedgar@fxp.org> To: Claude Buisson <ubc@paris.framatome.fr> Cc: Robin Smith <rasmith@aristotle.tamu.edu>, freebsd-security@FreeBSD.ORG, "Nickolay A.Kritsky" <nkritsky@internethelp.ru> Subject: Re: Re[2]: should I concerned? Message-ID: <20010809075438.A17562@peitho.fxp.org> In-Reply-To: <20010809133535.I4371-100000@eve.framatome.fr> References: <200108091125.GAA29210@aristotle.tamu.edu> <20010809133535.I4371-100000@eve.framatome.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Aug 09, 2001 at 01:37:13PM +0200, Claude Buisson wrote:
> On Thu, 9 Aug 2001, Robin Smith wrote:
> >
> > >>>>> "Claude" =3D=3D Claude Buisson <ubc@paris.framatome.fr> writes:
> >
> >
> > Claude> I have seen a few of these starting from August 6, amidst
> > Claude> a flow of "standard" GET /default.ida?NNNNNNNN... and GET
> > Claude> /default.ida?XXXXXXX... Is Code Red II bugged ?
> >
> > My httpd access log is full of "GET /default/ida?XXX....", which is
> > evidently the Code Red II signature; haven't seen very many Code Red I
> > hits in the last few days (but Code Red II seems to hit us with much
> > greaterfrequency).
> >
> > The "NNN.." and "XXX..." strings are just filler to overflow a buffer;
> > the payload (and the real signature of the worm) is the bit of code at
> > the end, which is object code encoded in hex ("%u" and four digits).
> > Compare these and you'll see they are the same. But it's so much easier
> > to type "grep NNNN /var/log/..." :=3D)
>=20
> This is already well known, the question is:
>=20
> why the "GET /default.ida?" is missing is some attempts ?
>=20
You may want to review the incidents/vuln-dev archives at
www.securityfocus.com where this has been discussed-to-death
over the last few weeks.
--=20
Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org
--------------------------------------------------------
FreeBSD: The Power To Serve - http://www.FreeBSD.org
--azLHFNyN32YCQGCU
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: FreeBSD: The Power To Serve
iEYEARECAAYFAjtyef4ACgkQObaG4P6BelA3IQCeIBgAYg2n0phGTBzHvey6UrPy
XCkAoIlAQaaiiovkabiruiieu2phLidQ
=BGMP
-----END PGP SIGNATURE-----
--azLHFNyN32YCQGCU--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010809075438.A17562>