|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Joe Harris (cdi
thewebmasters.net)Date: Thu Jul 19 2001 - 13:30:44 CDT
On Wed, 18 Jul 2001, Marc Maiffret wrote:
>
> The following is a detailed analysis of the "Code Red" .ida worm that we
> reported on July 17th 2001.
[snip much excellent stuff]
> The following is part of the packet data that is sent for this .ida "Code
> Red" worm attack:
> GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0
> Just add that to your IDS signature database.
A notable side effect of this.. the worm signature is wreaking havoc with
Cisco 675, 677, and 678 DSL routers that have the Web Based Configuration
Interface enabled.
Ref BugTraq ID # 2012
http://www.securityfocus.com/vdb/bottom.html?vid=2012
Any request which includes a question mark made to the Web Admin Interface
on these Cisco devices will cause them to lock up. I mention this only
because I work tech-support at an ISP and the phones have been going nuts
this morning.
Useless trivia -
Web server log ida worm signatures seen yesterday: 0
Today the web server (apache) is recording an average of 4 unique IPs
attacking the server every hour.
This one's gonna be bad.
CDI
-- The Web Master's Net http://www.thewebmasters.net/ Today's Excuse: filesystem not big enough for Jumbo Kernel Patch
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]