[Dshield] CodeRed Difference with 'new' XXX variant

Paul Hustava hinshara at mindspring.com
Sat Aug 4 21:50:15 GMT 2001


When I first noticed the new variant of Code Red exploit attempt today, I
noticed the new 'GET' lines containing the XXXXX's (rather than the NNNNN's)
all had the same first octet as my IP address -- 63. .

I now see apossible purpose for this new exploit. It simply generates a '404'
error rather then the 'malformed header' statement in the error logs. I matched
these up with Apache's access_log. I verified that the new exploit always
generates the 404's where the 'older' variant generated the malformed header
error

[Sat Aug  4 06:09:41 2001] [error] [client 61.32.19.125] Client sent malformed
Host header
[Sat Aug  4 08:46:12 2001] [error] [client 63.175.162.222] File does not exist:
/usr/local/apache/htdocs/defau
lt.ida
[Sat Aug  4 10:23:55 2001] [error] [client 211.221.147.23] Client sent
malformed Host header
[Sat Aug  4 10:44:46 2001] [error] [client 63.52.131.181] File does not exist:
/usr/local/apache/htdocs/defaul
t.ida
[Sat Aug  4 11:56:26 2001] [error] [client 63.229.198.246] File does not exist:
/usr/local/apache/htdocs/defau
lt.ida
[Sat Aug  4 12:35:06 2001] [error] [client 63.140.246.79] File does not exist:
/usr/local/apache/htdocs/defaul
t.ida
[Sat Aug  4 12:47:25 2001] [error] [client 209.251.174.110] Client sent
malformed Host header
[Sat Aug  4 12:50:28 2001] [error] [client 24.1.158.212] Client sent malformed
Host header





More information about the list mailing list