Security Incidents mailing list archives
Re: What if CodeRed encoded it's HTTP requests?
From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 20 Aug 2001 09:52:51 -0600 (MDT)
On Mon, 20 Aug 2001, Nuno Mendes wrote:
I was just checking how many CodeRed I and II attempts I had on my Linux based Apache server, and figuring out what if a new version of the worm encoded 'degault.ida' in hexadecimal? Or even the data that causes the buffer overflow?
Not that the word "default" is arbitrary. You can change it to whatever else you want.
It seems a lot of tools are based on 'default.ida' string.... aren't they?
I've only looked closely at the Snort rule, which says (if I remember correctly) .ida? (or .idq?) anywhere in the request, and the request is > 259 characters. Now, if you do some games with the .ida part... Well, I believe Snort has a HTTP encoding decoder... don't know how effective it is. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- What if CodeRed encoded it's HTTP requests? Nuno Mendes (Aug 20)
- Re: What if CodeRed encoded it's HTTP requests? Ryan Russell (Aug 20)
- Re: What if CodeRed encoded it's HTTP requests? Jose Nazario (Aug 20)