From owner-freebsd-questions Sun Aug 5 15:28:56 2001 Delivered-To: freebsd-questions@freebsd.org Received: from deborah.paradise.net.nz (deborah.paradise.net.nz [203.96.152.32]) by hub.freebsd.org (Postfix) with ESMTP id E317637B401 for ; Sun, 5 Aug 2001 15:28:50 -0700 (PDT) (envelope-from rshea@opendoor.co.nz) Received: from sheasili (203-79-72-40.cable.paradise.net.nz [203.79.72.40]) by deborah.paradise.net.nz (Postfix) with SMTP id 9412F1FA2A9 for ; Mon, 6 Aug 2001 10:28:26 +1200 (NZST) From: rshea@opendoor.co.nz To: questions@FreeBSD.ORG Date: Mon, 6 Aug 2001 10:28:21 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Code Red 2 - (was : Attempted Buffer Overrun in via httpd? ) References: Your message of "Sat, 04 Aug 2001 14:27:37 -0300." <20010804142321.X91592-100000@cactus.fi.uba.ar> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <20010805222826.9412F1FA2A9@deborah.paradise.net.nz> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > It smells like code red. It is a worm which tries to exploit a vulnerability > > in M$ IIS. > > Ah! Duh. Wait, I'm catching up here... What's the current virus > knocking on everyone's door? Oh yeah, _I_ remember now! Code Red. > Although Code Red is old news (hopefully) to everyone with IIS machines in their network I would just point out that in the last 36 hours a so called Code Red II has arisen (if you look in your logs you'll see that some of the default.ida attempts now have a padding of 'X' rather than 'N'). It has a much nastier effect and rebooting ain't going to fix it. Once again the June 18 IIS patch will avoid infection ... http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp ... and there's a lots of details at ... http://www.eeye.com/html/advisories/coderedII.zip ... for people in charge of a network there's an interesting aspect to the way it generates target IP's. Basically once it gets to a machine close to your IP address you're going to a see a very fast ramp up in traffic. This may explain the discrepancies in sightings which people have mentioned in earlier posts. It certainly corresponds with I've seen here in the last 24 hours. Just another day that I feel grateful for Apache and Unix ! Have a good one. richard shea. ***************************************************** Open Door Ltd PO Box 119-46 Wellington PH 04 384 7639 FX 04 384 7672 ***************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message