>>>>> "Claude" == Claude Buisson <ubcparis.framatome.fr> writes:

    Claude> I have seen a few of these starting from August 6, amidst
    Claude> a flow of "standard" GET /default.ida?NNNNNNNN... and GET
    Claude> /default.ida?XXXXXXX... Is Code Red II bugged ?

My httpd access log is full of "GET /default/ida?XXX....", which is
evidently the Code Red II signature; haven't seen very many Code Red I
hits in the last few days (but Code Red II seems to hit us with much
greaterfrequency).

The "NNN.." and "XXX..." strings are just filler to overflow a buffer;
the payload (and the real signature of the worm) is the bit of code at
the end, which is object code encoded in hex ("%u" and four digits).
Compare these and you'll see they are the same. But it's so much easier
to type "grep NNNN /var/log/..." :=)

Robin Smith

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]