[Dshield] Code red variant?

Jonathan G. Lampe jonathan at stdnet.com
Thu Jul 26 15:54:38 GMT 2001


MessageYep - this will kick off the Index Server ISAPI filter as well.  If
you have control over your filters you should also make sure they pick-up
the following, CASE INSENSITIVE:

.ida
.idq

This is the first IDA I've seen related to this worm in the field, but I got
my hands on an exploit which I moded to use .ida and it worked just as well
against my test system ;)

Please make sure you are picking up "IdA" and "iDq" and all those other
variants - I haven't seen case variations yet in the field, but it's a
logical mutation and it will work just as well against the ISAPI filter.
(The case sensitivity issue IS a big deal - I don't want to use names but
I've seen at least one IDS vendor distribute a CASE SENSITIVE version
only!!!)

- Jonathan G. Lampe, Standard Networks, Inc.
- jonathan at stdnet.com, 608.227.6100
  I checked the incidents.org site and didn't see anythign regarding this,
but perhaps one of you has seen this too. Today, around 7:45am CST, I saw
the now familiar HTTP GET data with repeated character alert from BlackIce.
When I looked at the actual log, I found that it wasn't the same signature
as before... Instead, it was:

  length=222&URL=/x.ida&arg=AAA* (with 219 more a's following).

  Anyone else seen this or know what it is?

  John

  ------------------------------------
  John Thompson
  Network Administrator
  Dept. of Biochemistry
  University of Iowa
  tel: 319.335.7952
  fax: 319.335.9570

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20010726/67b82182/attachment.htm


More information about the list mailing list