Bugtraq mailing list archives
Code Red Revision (fwd)
From: Alfred Huger <ah () securityfocus com>
Date: Sat, 4 Aug 2001 23:11:47 -0600 (MDT)
---------- Forwarded message ---------- Date: Sat, 4 Aug 2001 23:00:39 -0600 (MDT) From: Alfred Huger <ah () securityfocus com> To: incidents () securityfocus com Subject: Code Red Revision Evening all, I had planned on sending out a thanks this evening to all of the contributors (in terms of logs) who came through on the Code Red (revision 2) surge last week. Regrettably it looks like I will have to wait due to a new variant or rather new worm on the loose. As some of you know a new worm has been released into the wild which uses the same exploit - the Microsoft Indexing Server/Indexing Services ISAPI Buffer Overflow Attack (http://www.securityfocus.com/bid/2880). However, this is most likely not a revision of the initial Code Red worm but a new worm which simply uses uses the same entry point. It carries an actual malicious payload and has a number of other very interesting features. The SecurityFocus ARIS Team and eEye Digital Security will be releasing an in-depth writeup in the next hour or two with technical details as well as information about it's spread to date. As opposed to filling the list with logs of attacks I will reserve the list for discussion of the worm's payload and features - after we post an analysis. So very shortly. Until then, it would be fantastic if you can send your log files to: aris-report () securityfocus com Because we have caught this very early we plan on starting the notification process tonight. We sent close to 400,000 notifications against Code Red 1 & 2 previously - hopefully because we are on top of this our notifications now will help address the situation much, much faster. If you would like to send offending IP data - Please send it in the following format: IP ADDRESS DATE/TIME Or something similar to this. Please ensure the information is contained to IP address and date per line as we do our notification automatically and our system needs to be to understand the los you send us. We will be posting more shortly. -Al VP Engineering SecurityFocus.com "Vae Victis"
Current thread:
- Code Red Revision (fwd) Alfred Huger (Aug 04)