Re: FW: Alert: New version of Code Red, XXXX
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 5 Aug 2001 06:41:23 -0700
Again; the good news is that unless you publish your web site with either:
1. server publishing
2. IP addresses in the destination sets
You're going to be fine if ISA is standing watch.
I already noticed the difference with the overflow characters (XXXX's
instead of NNNN's) and also noted that the connections were being made using
IP addresses as: 123.123.123.123/default.ida?.
ISA blocked them for me.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Hugo Caye" <Hugo@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, August 04, 2001 8:59 PM
Subject: [isalist] FW: Alert: New version of Code Red, XXXX
http://www.ISAserver.org
FYI
-----Original Message-----
From: Russ [mailto:Russ.Cooper@xxxxxxxx]
Sent: domingo, 5 de agosto de 2001 00:48
To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
Subject: Alert: New version of Code Red, XXXX
-----BEGIN PGP SIGNED MESSAGE-----
Just a quick FYI, there is a new version of Code Red which appears to
be spreading rather rapidly.
- - Appears to be a new re-write.
- - Drops some sort of remote access trojan.
- - Turns off System File Checker (Windows File Protection.)
- - Moves CMD.EXE to the scripts directory in IIS
- - Looks like the way they make the entry into code very differently
than before.
- - If your IDS is looking for "NNNN", forget it (but then you should
have been shot if you used this string anyway)
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
p.s. if we don't respond right away its because we're now going to go
and light the fireworks here at my retreat. Might as well have lots
of fireworks tonight!
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQCVAwUBO2zCARBh2Kw/l7p5AQH95wQAqjGp7vRYK8SYky/ydyU1wxBmCe2c8Mpd
DBdxrv+TY9112ZuH663ZspUOXThS9oeEyT4sdbVYNv8Z28nMipbioyTXYa5dw8po
21tkilo6ZoGX+AmKJ6Kz7WDvMpHpEfzDr3JHGtxuev0/rclXeRSN4urypMR3YnRz
uw5ZW/F3U/I=
=OhCV
-----END PGP SIGNATURE-----
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
- » FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » Re: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
- » RE: FW: Alert: New version of Code Red, XXXX
