New Code Red signature? - Security | DSLReports Forums (Page 2)

Author	All Replies
Ryan Premium join:2001-03-03 Quincy, MA	reply to RenHoek Re: New Code Red signature? The thing is could this thing be distructive and like what you had pointed out steve is it could delete important things off of your registry. Would it matter if you had iis running or not.
	to forum · permalink · 2001-08-04 14:09:24 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	said by POOoOoOPs: Would it matter if you had iis running or not. Yes: only IIS is susceptible because the infection mechanism is the same. The worm has two parts: the delivery mechanism and the payload. The delivery mechanism is probably the first line that you see in the logs: a bit of very carefully crafted overflow bytes, and it's designed to take advantage of the flaw in IIS. Only when this succeeds is the payload even interesting. So if you're patched, the payload is not even considered. Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-04 14:12:48 ·
NitinPutcha @home.com	reply to RenHoek Infection levels on comcast@home Just FYI- On my comcast@home connection, 322 probes from 24.x.x.x machines in the last 8 hours. My ZoneAlarm is going nuts.
	to forum · permalink · 2001-08-05 09:20:38 ·
ArkiMage join:2001-06-30 Kingsport, TN	Capturing the Payload Just for the heck of it I created a default.ida file so my web server would return a 200 instead of a 404 to the probes (Apache on Linux). I just saw a hit in the logs but no additional payload or connections from the probing machine. What response should be returned for the worm to think it has a valid target. Something other than 200 or 404 I suppose. PS. With a 24.x.y.z IP the cable modem lights are going like crazy. Looks like a huge download from a fast site is in progress.
	to forum · permalink · 2001-08-05 09:33:48 ·
mbyrd join:2001-08-05 Alabama	said by ArkiMage: What response should be returned for the worm to think it has a valid target. The buffer overflow trigger is followed by the payload in the initial request. If you answer port 80 you get it all. There is no validation mechanism. If you overflow, then it runs. Three packets to make it happen: (not counting setup/reset) Size/Prot/Time/Data 1518 HTTP 13:57:19 /default.ida?XXXXXXXXXXXXXXXXX... 1518 HTTP 13:57:19 S=1108097130,L= 1460 956 HTTP 13:57:19 S=1108098590,L= 898 Hope that helps. Mike
	to forum · permalink · 2001-08-05 09:50:14 ·
ArkiMage join:2001-06-30 Kingsport, TN	Got to be more.. You're telling me this implements an ip scanner and replication and backdoor code? %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190 %u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a If so it's the tightest code I've ever seen. That's all I get after the /default.ida?XXXX... string. There has to be more "code" to it and I assume it sends through the rest if it gets some type of response code alerting it to an infectable machine. Surely...
	to forum · permalink · 2001-08-05 10:22:27 ·

jlandgr join:2001-01-05 Germany	said by ArkiMage: Got to be more.. You're telling me this implements an ip scanner and replication and backdoor code? There is more, indeed Besides reading SJFriedl's good analysis, you can also check the one from eeye.com Jerome
	to forum · permalink · 2001-08-05 10:33:45 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	reply to ArkiMage Re: Capturing the Payload said by ArkiMage: Got to be more.. You're telling me this implements an ip scanner and replication and backdoor code? There is more. The first line of the HTTP submission is the injection mechanism, and it simply takes over the IIS system. The rest of the headers that follow -- around 3kbytes -- is the payload that does the actual dirty work. Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
	to forum · permalink · 2001-08-05 12:05:17 ·
DeHackEd Bill Ate Tux's Rocket join:2000-12-07	For a better view of the virus' payload, check this image on my web server. It's an Ethereal dump. God knows the only hits it gets are from the virus. Update: that was stupid of me! [text was edited by author 2001-08-05 14:20:37]
	to forum · permalink · 2001-08-05 14:10:31 ·
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5	said by DeHackEd: http: //10.0.0.2:81/codered2.jpg Not gonna get very far with a ten-dot address from here. You can see a text dump of the entire virus (headers and payload) at http://www.unixwiz.net/techtips/CodeRedII.txt . About 17kbytes. Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net [text was edited by author 2001-08-05 14:23:12]
	to forum · permalink · 2001-08-05 14:11:41 ·
DeHackEd Bill Ate Tux's Rocket join:2000-12-07	I changed that a while ago. That was very stupid of me. Sorry. I originally thought the virus was encoded at the end of the URL as well. When I later heard reference to the virus being around 3-4k large, I figured I was wrong and started an Ethereal dump of my internet connection. It took a while but I got the above data. Now I don't need to wait much more. Since the entire thing started, I have had 455 hits. 13 of them were from the July incident. In August alone, I've had 104 NNNNN hits and 338 XXXXX hits. If the second virus only hit yesterday, then I am impressed and afraid. -- I do not suffer from insanity! I enjoy every minute of it!
	to forum · permalink · 2001-08-05 19:28:04 ·

Broadband Tech > Security > Security > New Code Red signature?

Re: New Code Red signature?

Infection levels on comcast@home

Capturing the Payload

Re: Capturing the Payload