TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
I received the X-Press alert for Code Red yesterday. In it was some good
information on what it is and does and how to detect it.
I do have a question concerning the RS signature. In the text of the alert,
it says that Code Red sends the string "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a".
However, the signature string for RS is simply "default\.ida$". I do not
understand how the two can relate since the RS string does not match that
part of the attack. Can someone explain it for me?
Thanks
Dan Wangler, GIAC Certified Intrusion Analyst
IT Security Engineering and Development
IT Security, Texas Instruments, Inc.
6500 Chase Oaks Blvd., MS 8417
Plano, Texas, 75023, Phone: 972-927-8304
Email: [EMAIL PROTECTED]
