[Dshield] Code red variant?
Jonathan G. Lampe
jonathan at stdnet.com
Thu Jul 26 15:54:38 GMT 2001
MessageYep - this will kick off the Index Server ISAPI filter as well. If
you have control over your filters you should also make sure they pick-up
the following, CASE INSENSITIVE:
This is the first IDA I've seen related to this worm in the field, but I got
my hands on an exploit which I moded to use .ida and it worked just as well
against my test system ;)
Please make sure you are picking up "IdA" and "iDq" and all those other
variants - I haven't seen case variations yet in the field, but it's a
logical mutation and it will work just as well against the ISAPI filter.
(The case sensitivity issue IS a big deal - I don't want to use names but
I've seen at least one IDS vendor distribute a CASE SENSITIVE version
- Jonathan G. Lampe, Standard Networks, Inc.
- jonathan at stdnet.com, 608.227.6100
I checked the incidents.org site and didn't see anythign regarding this,
but perhaps one of you has seen this too. Today, around 7:45am CST, I saw
the now familiar HTTP GET data with repeated character alert from BlackIce.
When I looked at the actual log, I found that it wasn't the same signature
as before... Instead, it was:
length=222&URL=/x.ida&arg=AAA* (with 219 more a's following).
Anyone else seen this or know what it is?
Dept. of Biochemistry
University of Iowa
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the list