Security Incidents mailing list archives
Re: Bad CodeRed request ?
From: corecode <corecode () corecode ath cx>
Date: Mon, 06 Aug 2001 18:21:48 +0000
At 04:10 PM 8/6/2001, Rodrigo Barbosa wrote:
The point is that i looks like a CodeRed II, but it's missing the begining of the xploit string. Also, this is a HTTP/1.1 request, while regular CRII requests are HTTP/1.0. I've got these from 2 hosts now. Multiple times from each of these hosts, and no regular CRII request from any of them. Anyone have any idea what this can be ?
hm. i got some request that had some bytes missing (1000 or so). as this new worm uses exact the same data it is itself (not obvious: codered used the data received and decoded by iis, like request-url and attack vector) some defect will propagate at once. nevertheless these corrupted versions (eg. bad memory, hard disk (swapped mem) or cpu) won't be able to infect other systems (most of the time). so the point is: why do several hosts appear to have the same corrupted version?
cheerz corecode ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Bad CodeRed request ? Rodrigo Barbosa (Aug 06)
- Re: Bad CodeRed request ? Ryan Russell (Aug 06)
- Re: Bad CodeRed request ? Tim Walberg (Aug 06)
- Re: Bad CodeRed request ? corecode (Aug 06)