TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
I am running Real Secure 5.5
And attempts of this show as HTTP_Netscape_SpaceView and as a caution.
The details of the attack match one of these. (Either all As or Ns. I
can't remember)
James Byrd
-----Original Message-----
From: Craig Humphrey [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 31, 2001 5:05 PM
To: [EMAIL PROTECTED]
Subject: RE: Code Red for RealSecure
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
I agree, I've been looking at what some of the CodeRed detectors do and they
send:
GET /x.ida
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X
So what's to stop a minor variant of CodeRed just changing the file it asks
for. Seems a very short sited signature.
Later'ish
Craig
> -----Original Message-----
> From: Dan Wangler [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 01, 2001 1:57 AM
> To: [EMAIL PROTECTED]
> Subject: Code Red for RealSecure
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help
> with any problems!
> --------------------------------------------------------------
> --------------
>
> I received the X-Press alert for Code Red yesterday. In it
> was some good
> information on what it is and does and how to detect it.
>
> I do have a question concerning the RS signature. In the
> text of the alert,
> it says that Code Red sends the string "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
> 0%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
> 000%u00=a".
>
> However, the signature string for RS is simply
> "default\.ida$". I do not
> understand how the two can relate since the RS string does
> not match that
> part of the attack. Can someone explain it for me?
>
> Thanks
>
>
> Dan Wangler, GIAC Certified Intrusion Analyst
> IT Security Engineering and Development
> IT Security, Texas Instruments, Inc.
> 6500 Chase Oaks Blvd., MS 8417
> Plano, Texas, 75023, Phone: 972-927-8304
> Email: [EMAIL PROTECTED]
>
>
>
>
