[Dshield] RE: Code Red Vers. 1 sightings.

Josh Tolley josh at raintreeinc.com
Wed Oct 10 18:51:25 GMT 2001


I've been seeing default.ida?XXXXXXXXXXXXXXX... (code red II, right?)
occasionally lately, but haven't seen cr1's signature in a "long" time.

Josh Tolley

PS.  It is nice that Nimda has died down, isn't it :)

<snip>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


After CodeRed shut itself off on Oct. 1st, the door is open again for CRI to
spread. We did already receive a few sightings. However, as there was almost
a week of quiet time, it would be interesting to get the first one.

Please check your web logs and see if they include the typical signature...
here is a sample:

4.18.227.20 - - [07/Oct/2001:10:39:55 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 326

Please only send the earliest few samples you have in your logs from
October. Just send them to me directly (jullrich at dshield.org).

 Thanks!

- --
- -------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System
</snip>




More information about the list mailing list