Hosting Provided By

Re: New CodeRed strain? -- UPDATE

From: Frank Knobbe <fknobbe(at)knobbeits.com>
Date: Mon Apr 28 2003 - 13:13:11 EDT

As I see it did make it to the list, here an update.

The reason this packet hasn't been tripping the usual signatures is simple. We are receiving *only* the second packet. There is no first packet with GET /default.ida?XXXX etc.

The packet itself appears to be classic CodeRed (II I believe), but again, we're getting only the second packet. No TCP 3-way, for first packet.

While keeping our eyes on this, the majority appears to be coming from China, but we do some domestic (USA), Turkey, and I believe a Brazilian.

I'm curious if anyone else is seeing these second-packet-only CodeReds.

Regards,
Frank

Do you need help?

On Fri, 2003-04-25 at 13:55, Frank Knobbe wrote:
> Greetings,

application/pgp-signature attachment: This is a digitally signed message part

Received on Tue Apr 29 17:55:57 2003

This message: [ Message body ]
Next message: Chris Boyd: "Re: SMTP Scans"
Previous message: rhandwerker(at)iss.net: "Re: New attack or old Vulnerability Scanner?"
In reply to Frank Knobbe: "New CodeRed strain?"
Reply: Justin Pryzby: "Re: New CodeRed strain? -- UPDATE"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:04 EDT