[unisog] Code Red(s) being confused with sadmind/IIS worm?

Paul L Schmehl pauls at utdallas.edu
Thu Aug 9 23:25:08 GMT 2001


--On Thursday, August 09, 2001 5:09 PM -0400 "Stephen W. Thompson" 
<thompson at pobox.upenn.edu> wrote:
>
> If I'm correct, that implies a) sadmind/IIS is more prevalent than
> we'd realized and, possibly b) that there might be a variant of
> sadmind/IIS that succeeds on non-Solaris machines unlike the original
> variant.  Any corroboration on (b) from anyone?
>
The "signature" of Poisonworm is pretty obvious, and if we were seeing it, 
our IDS would be alerting on it.  I haven't seen much of it for a while. 
It seems to have died off a short while after Code Red A became active.

> En paz,
> Steve, (tired) security analyst

Yeah, no kidding.

Paul L. Schmehl, pauls at utdallas.edu
http://www.utdallas.edu/~pauls/
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member



More information about the unisog mailing list