Curious HTTP GET commands ...
Drew Taylor
ataylor at speakeasy.net
Mon Aug 6 15:04:00 EDT 2001
> ------------ Original Message -----------
> From: John Chambers <jc at trillian.mit.edu>
> Date: Mon, 06 Aug 2001 16:06:51 UTC
>
> One curious problem: I've dug around in a few search sites and some
> of the security sites to see if I could find a precise description of
> the CodeRed symptoms. So far, I've hit a brick wall. Lots and lots of
> comments on what it does and how it works, but nothing at all that
> tells me how to detect it. They all seem to think that I'm too stupid
> to understand that; I shouldn't worry my little head about it; I
> should just install Microsoft's patch (in my apache server running on
> linux?) and all will be right with the world.
I'm not sure how you can detect if you're running other than looking for root.exe in the scripts directory or noticing requests for default.ida in your logs.
> Meanwhile, I've noticed that sometimes the GET requests include a
> long string of X's, and other times with a long string of N's. Are
> these two clones of CodeRed? Are other letters also symptomatic of
> CodeRed? Is this documented somewhere? I wouldn't want to accuse some
> site of doing a CodeRed attack, when it's actually an unrelated
> CodeBlue attack, y'know.
It is two different versions. The second (I believe it uses 'X' instead of 'N') installs a backdoor via /scripts/root.exe, which is a copy of cmd.exe. The first was merely a worm to attach whitehouse.gov.
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list