Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Curious HTTP GET commands ...



> ------------ Original Message -----------
> From: John Chambers <jc at trillian.mit.edu>
> Date: Mon, 06 Aug 2001 16:06:51 UTC
> 
> One curious problem:  I've dug around in a few search sites and  some
> of the security sites to see if I could find a precise description of
> the CodeRed symptoms. So far, I've hit a brick wall. Lots and lots of
> comments  on  what  it does and how it works, but nothing at all that
> tells me how to detect it. They all seem to think that I'm too stupid
> to  understand  that;  I  shouldn't  worry my little head about it; I
> should just install Microsoft's patch (in my apache server running on
> linux?) and all will be right with the world.

I'm not sure how you can detect if you're running other than looking for root.exe in the scripts directory or noticing requests for default.ida in your logs.

> Meanwhile, I've noticed that sometimes the  GET  requests  include  a
> long  string  of X's, and other times with a long string of N's.  Are
> these two clones of CodeRed?  Are other letters also  symptomatic  of
> CodeRed? Is this documented somewhere? I wouldn't want to accuse some
> site of doing a CodeRed  attack,  when  it's  actually  an  unrelated
> CodeBlue attack, y'know.
It is two different versions. The second (I believe it uses 'X' instead of 'N') installs a backdoor via /scripts/root.exe, which is a copy of cmd.exe. The first was merely a worm to attach whitehouse.gov.

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org