[21659] in bugtraq
Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm.
daemon@ATHENA.MIT.EDU (Joe Harris)
Thu Jul 19 15:11:47 2001
Date: Thu, 19 Jul 2001 11:30:44 -0700 (PDT)
From: Joe Harris <cdi@thewebmasters.net>
To: Marc Maiffret <marc@eeye.com>
Cc: BUGTRAQ <BUGTRAQ@securityfocus.com>
In-Reply-To: <EIEOJCKGEPCLJHGCNNOPGEFGEAAA.marc@eeye.com>
Message-ID: <Pine.LNX.3.95.1010719110452.5081A-100000@animal.blarg.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 18 Jul 2001, Marc Maiffret wrote:
>
> The following is a detailed analysis of the "Code Red" .ida worm that we
> reported on July 17th 2001.
[snip much excellent stuff]
> The following is part of the packet data that is sent for this .ida "Code
> Red" worm attack:
> GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0
> Just add that to your IDS signature database.
A notable side effect of this.. the worm signature is wreaking havoc with
Cisco 675, 677, and 678 DSL routers that have the Web Based Configuration
Interface enabled.
Ref BugTraq ID # 2012
http://www.securityfocus.com/vdb/bottom.html?vid=2012
Any request which includes a question mark made to the Web Admin Interface
on these Cisco devices will cause them to lock up. I mention this only
because I work tech-support at an ISP and the phones have been going nuts
this morning.
Useless trivia -
Web server log ida worm signatures seen yesterday: 0
Today the web server (apache) is recording an average of 4 unique IPs
attacking the server every hour.
This one's gonna be bad.
CDI
--
The Web Master's Net
http://www.thewebmasters.net/
Today's Excuse:
filesystem not big enough for Jumbo Kernel Patch
