Curious HTTP GET commands ...

Drew Taylor ataylor at speakeasy.net
Mon Aug 6 15:04:00 EDT 2001


> ------------ Original Message -----------
> From: John Chambers <jc at trillian.mit.edu>
> Date: Mon, 06 Aug 2001 16:06:51 UTC
> 
> One curious problem:  I've dug around in a few search sites and  some
> of the security sites to see if I could find a precise description of
> the CodeRed symptoms. So far, I've hit a brick wall. Lots and lots of
> comments  on  what  it does and how it works, but nothing at all that
> tells me how to detect it. They all seem to think that I'm too stupid
> to  understand  that;  I  shouldn't  worry my little head about it; I
> should just install Microsoft's patch (in my apache server running on
> linux?) and all will be right with the world.

I'm not sure how you can detect if you're running other than looking for root.exe in the scripts directory or noticing requests for default.ida in your logs.

> Meanwhile, I've noticed that sometimes the  GET  requests  include  a
> long  string  of X's, and other times with a long string of N's.  Are
> these two clones of CodeRed?  Are other letters also  symptomatic  of
> CodeRed? Is this documented somewhere? I wouldn't want to accuse some
> site of doing a CodeRed  attack,  when  it's  actually  an  unrelated
> CodeBlue attack, y'know.
It is two different versions. The second (I believe it uses 'X' instead of 'N') installs a backdoor via /scripts/root.exe, which is a copy of cmd.exe. The first was merely a worm to attach whitehouse.gov.

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).



More information about the Discuss mailing list