Bugtraq mailing list archives
Re: 'Code Red' does not seem to be scanning for IIS
From: George William Herbert <gherbert () retro com>
Date: Fri, 20 Jul 2001 11:13:10 -0700
Ryan wrote:
Mike Brockman wrote:From what i read about the 'Code Red'-worm, it was supposed to be scanningfor IIS-servers. It obviously is'nt, i believe it tries to infect everything they find on port 80, or something as simple as that.Run nc -l -p 80 > worm, and you'll get a copy. It's not scanning in any sense, it just tries a connect, and sends the string.
An anonymous chat room contact yesterday told me they'd had success linking default.ida to their kernel; the worm always seemed to abort its attack after something like 32k of stuff was shoved down the pipe from thier Linux/Apache server. They hypothesized it was causing a buffer overrun in the worm code. After hearing that, I dropped a copy of Shakespeare's "Much Ado About Nothing" into htdocs/default.ida on my system and snooped the net a while. I got one more connect attempt from the worm and it seemed to have dropped its connection after something like 30k of data flowed back, but I was unable to tell what happened at the far end. I only was able to watch one event happen. I've reviewed the eEye analysis and concluded I don't know enough assembly to tell whether it appears to work that way, and I don't have an IIS system to use as a testbed. Can someone who's got a better handle on how the virus' internals are behaving take a look and confirm or deny that this is an effective prophylactic measure? -george william herbert gherbert () retro com
Current thread:
- RE: 'Code Red' does not seem to be scanning for IIS, (continued)
- RE: 'Code Red' does not seem to be scanning for IIS Marc Maiffret (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Emre Yildirim (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Ethan Butterfield (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS daniel uriah clemens (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Ryan Russell (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Kelly Martin (Jul 19)
- Re(2): 'Code Red' does not seem to be scanning for IIS Ken Eichman (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Duncan Hill (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Stephen Cimarelli (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Tony Langdon (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS George William Herbert (Jul 20)
- RE: 'Code Red' does not seem to be scanning for IIS Marc Maiffret (Jul 19)