For those who havn't seen yet - -----BEGIN PGP SIGNED MESSAGE----- Just a quick FYI, there is a new version of Code Red which appears to be spreading rather rapidly. - - Appears to be a new re-write. - - Drops some sort of remote access trojan. - - Turns off System File Checker (Windows File Protection.) - - Moves CMD.EXE to the scripts directory in IIS - - Looks like the way they make the entry into code very differently than before. - - If your IDS is looking for "NNNN", forget it (but then you should have been shot if you used this string anyway) Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor p.s. if we don't respond right away its because we're now going to go and light the fireworks here at my retreat. Might as well have lots of fireworks tonight! -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO2zCARBh2Kw/l7p5AQH95wQAqjGp7vRYK8SYky/ydyU1wxBmCe2c8Mpd DBdxrv+TY9112ZuH663ZspUOXThS9oeEyT4sdbVYNv8Z28nMipbioyTXYa5dw8po 21tkilo6ZoGX+AmKJ6Kz7WDvMpHpEfzDr3JHGtxuev0/rclXeRSN4urypMR3YnRz uw5ZW/F3U/I= =OhCV -----END PGP SIGNATURE----- Quite exciting really, isn't it? Regards, Thomas Salmen System Administrator Radionet Ltd. 1/72 Paul Matthews Road Albany, Auckland, New Zealand Ph: +64 9 414 0300 ext 718 -----Original Message----- From: Dan Langille [mailto:dan(a)langille.org] Sent: Sunday, 5 August 2001 4:00 p.m. To: Juha Saarinen Cc: nznog(a)list.waikato.ac.nz Subject: Re: Different Code Red? On 5 Aug 2001, at 11:53, Juha Saarinen wrote:
I'm getting lots of hits on my home box, unfortunately. 142 since August 1 is the latest count. :-(
Noticed that the GET requests look different now:
[snip] Some look different: [dan(a)dev:/var/log] $ grep -c "default.ida?X" /var/log/httpd-access.log 12 [dan(a)dev:/var/log] $ grep -c "default.ida?N" /var/log/httpd-access.log 116 [dan(a)dev:/var/log] $ grep -c "default.ida" /var/log/httpd-access.log 128 The above represents the last 24 hours EST. All hits were against the IP address, not against any known domain (i.e. the HTTP headers did not include a domain name). -- Dan Langille pgpkey - finger dan(a)unixathome.org | http://unixathome.org/finger.php --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog