[40255] in North American Network Operators' Group
Re: Code Red variants
daemon@ATHENA.MIT.EDU (Andrew Barros)
Sat Aug 4 23:49:46 2001
Date: Sat, 4 Aug 2001 23:49:22 -0400
From: Andrew Barros <abarros@tjhsst.edu>
To: Jeff Ogden <jogden@merit.edu>
Cc: nanog@merit.edu
Message-ID: <20010804234922.E26495@tjhsst.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="vEao7xgI/oilGqZ+"
Content-Disposition: inline
In-Reply-To: <v04210103b79263457937@[198.108.90.150]>; from jogden@merit.edu on Sat, Aug 04, 2001 at 10:48:09PM -0400
Errors-To: owner-nanog-outgoing@merit.edu
--vEao7xgI/oilGqZ+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
securityfocus.com has several variants that use the same vulnerability=20
as code red, some of them are not as "nice" as code red. By nice i mean
they 0wn the box, instead of a trivial defacement.
-ajb
On Sat, Aug 04, 2001 at 10:48:09PM -0400, Jeff Ogden wrote:
->
->Do we know if anyone has looked at the code for variants of the worn=20
->in detail recently? I've seen announcements about new versions with=20
->better random IP address generation. Does anyone know if other=20
->aspects of the worm are the same? Is it still set to spread itself=20
->until the 19th and then switch to attacking the IP address that was=20
->once www1.whitehouse.gov or are their variants with different dates=20
->and different IP address or attack scenarios?
->
-> -Jeff
->
->At 4:57 PM -0700 8/4/01, Lou Katz wrote:
->>I'm seeing about 2:1 "XXXXXXXXXXXX" vs "NNNNNNNNNNNN" entries in today's=
logs.
->>
->>Also, I have over a factor of 20 more entries in Aug than in July.
->>
->>--
->>
->>
->>-=3D[L]=3D-
---end quoted text---
--=20
Andrew Barros <abarros@tjhsst.edu>
PGP Key Fingerprint:
D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8
--vEao7xgI/oilGqZ+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7bMJCChurNrZVH7gRAvuLAJ9Mq999h9xXks+FMoDJ65xspLeQswCfX8+n
EA2ou6iBBMiEWg5uuZKzFx0=
=L7LF
-----END PGP SIGNATURE-----
--vEao7xgI/oilGqZ+--
