From owner-freebsd-security Thu Aug 9 4:54:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id BF4F337B401 for ; Thu, 9 Aug 2001 04:54:39 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id BEB2E1360E; Thu, 9 Aug 2001 07:54:38 -0400 (EDT) Date: Thu, 9 Aug 2001 07:54:38 -0400 From: Chris Faulhaber To: Claude Buisson Cc: Robin Smith , freebsd-security@FreeBSD.ORG, "Nickolay A.Kritsky" Subject: Re: Re[2]: should I concerned? Message-ID: <20010809075438.A17562@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Claude Buisson , Robin Smith , freebsd-security@FreeBSD.ORG, "Nickolay A.Kritsky" References: <200108091125.GAA29210@aristotle.tamu.edu> <20010809133535.I4371-100000@eve.framatome.fr> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-Disposition: inline In-Reply-To: <20010809133535.I4371-100000@eve.framatome.fr> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 09, 2001 at 01:37:13PM +0200, Claude Buisson wrote: > On Thu, 9 Aug 2001, Robin Smith wrote: > > > > >>>>> "Claude" =3D=3D Claude Buisson writes: > > > > > > Claude> I have seen a few of these starting from August 6, amidst > > Claude> a flow of "standard" GET /default.ida?NNNNNNNN... and GET > > Claude> /default.ida?XXXXXXX... Is Code Red II bugged ? > > > > My httpd access log is full of "GET /default/ida?XXX....", which is > > evidently the Code Red II signature; haven't seen very many Code Red I > > hits in the last few days (but Code Red II seems to hit us with much > > greaterfrequency). > > > > The "NNN.." and "XXX..." strings are just filler to overflow a buffer; > > the payload (and the real signature of the worm) is the bit of code at > > the end, which is object code encoded in hex ("%u" and four digits). > > Compare these and you'll see they are the same. But it's so much easier > > to type "grep NNNN /var/log/..." :=3D) >=20 > This is already well known, the question is: >=20 > why the "GET /default.ida?" is missing is some attempts ? >=20 You may want to review the incidents/vuln-dev archives at www.securityfocus.com where this has been discussed-to-death over the last few weeks. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --azLHFNyN32YCQGCU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjtyef4ACgkQObaG4P6BelA3IQCeIBgAYg2n0phGTBzHvey6UrPy XCkAoIlAQaaiiovkabiruiieu2phLidQ =BGMP -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message