Security Incidents mailing list archives
RE: new codered worm penetrates content-filtering
From: "Shackleford, Dave" <znz1 () cdc gov>
Date: Thu, 10 Jan 2002 12:56:19 -0500
I have seen an enormous number of CodeRed hits lately, and yes - many of them are prefaced with an empty HTTP request. I've been wondering the same thing -- has anyone heard of a scheduled resurgence? -----Original Message----- From: Chris Russel [mailto:russel () yorku ca] Sent: Thursday, January 10, 2002 10:14 AM To: incidents () securityfocus com Subject: new codered worm penetrates content-filtering For a long time I havn't seen codered since we've been using content-screening at the router for blocking the attacks, but suddenly they are showing up again on my IDS. So I was wondering how it is that now they are getting through the content-screening. After waiting for a capture of an attack session (I didn't have to wait long) it seems that the familiar "GET /default.ida*" is now being delievered with the "GET " in a separate packet which appears designed to defeat the web content-screening features of routers and packet shapers. It's been a while, but I don't recall it being split up like that before - and I still get some with the "GET" in the same packet so I'm led to believe there's a new code red variant out there. Can anyone else verify that this is new behaviour? -- Chris Russel | CNS Information Security russel () yorku ca | York University, Toronto, Canada ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new codered worm penetrates content-filtering Chris Russel (Jan 10)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 10)
- Re: new codered worm penetrates content-filtering Chris Russel (Jan 10)
- Re: new codered worm penetrates content-filtering Michael H. Warfield (Jan 10)
- <Possible follow-ups>
- RE: new codered worm penetrates content-filtering Shackleford, Dave (Jan 10)
- RE: new codered worm penetrates content-filtering Robert Gile @Agoura (Jan 10)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 10)
- Re: new codered worm penetrates content-filtering Nick FitzGerald (Jan 11)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 11)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 11)
- Re: new codered worm penetrates content-filtering Nick FitzGerald (Jan 11)