[unisog] [dc-sage] Code Red mutated? (fwd)

Christopher E. Cramer chris.cramer at duke.edu
Sun Aug 5 02:46:33 GMT 2001


We're seeing the same behavior.  However, the only difference seems to be
the replacement of the 'N's in the original with the 'X's.  I believe
these characters are just there to over run the buffer, so any change in
that portion is probably cosmetic and designed to fool overly specific
detection rules.

-Chris

----------------------------------------------------------------------
Christopher E. Cramer, Ph.D.
Information Technology Security Officer
Duke University,  Office of Information Technology
253A North Building, Box 90132, Durham, NC  27708-0291
PH: 919-660-7003  FAX: 919-660-7076  email: chris.cramer at duke.edu


On Sat, 4 Aug 2001, Anderson Johnston wrote:

> Date: Sat, 4 Aug 2001 18:14:37 -0400
> From: Anderson Johnston <andy at umbc.edu>
> To: Global Incident Analysis Center <intrusion at sans.org>
> Cc: unisog at sans.org, Matt Fearnow <matt at sans.org>,
>      Stephen Northcutt <Sn0rthc at aol.com>, Mark Cather <markc at umbc.edu>
> Subject: [unisog] [dc-sage] Code Red mutated? (fwd)
>
>
> This is from a dc-sage posting (someone else's server).  Anyone else
> seeing mutations?
>
>
> * snip *
>
> The last few Code Red fronds to wave in front of my web
> server have a new signature:
>
> 151.17.195.2 - - [04/Aug/2001:16:29:37 -0400] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190
> %u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 200 219 "-" "-"
>
> * snip *
>
> ------------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
> ** Distributed Systems Manager            * PGP key:(afj2000) 1024/F67035E1 **
> ** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
> ** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **
> ------------------------------------------------------------------------------
>
>
>
>



More information about the unisog mailing list