Nope, the destination set of www.dsl-207.153.185.170.zipcon.net wouldn't match dsl-207.153.185.170.zipcon.net in the request. GOD I love how the ISA devs think! Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Mark Strangways" <strangconst@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, August 05, 2001 7:52 AM Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX http://www.ISAserver.org Unless of course your web site happens to be named .. www.dsl-207.153.185.170.zipcon.net That would get you there no ? Mark ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, August 05, 2001 10:41 AM Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX > http://www.ISAserver.org > > > The kewl thing about DNS rev-resolution is that with DSL and cable-based > connections, the reverse resolution is handled by the ISP, providing an > unusable destination. For instance, this is what you get when you try to > rev-resolve me with a ping: > ping -a 207.153.185.170 > Pinging dsl-207-153-185-170.zipcon.net [207.153.185.170] with 32 bytes of > data: > Go ahead; hit me with > http://dsl-207.153.185.170.zipcon.net/default.ida?<whatever> and see how far > you get. > > Granted, a smarter script kiddie would whois me and figure out my zones, but > there's the rub; more effort involved for the scripter. These guys are > generally lazy and go for the mass destruction effect, not the surgical > strike. The new IP-based connection is just an easy by-product of the IP > generator that they use to begin with. > > As far as what characters they use for the buffer overflow, that's > irrelevant and anyone depending on that for the hack signature is just > buying time at a high price. The easiest thing to do is to remove the .ida > feature of the web site to begin with. > > Check these out for detailed info on reactive and proactive measures: > http://www.digitalisland.net/codered/CodeRed.mp3 > http://www.digitalisland.net/codered/CodeRed.pdf > http://www.digitalisland.net/codered/CodeRed.ppt > > Jim Harrison > MCP(2K), A+, Network+, PCG > > ----- Original Message ----- > From: "Shayne Lebrun" <slebrun@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Sunday, August 05, 2001 5:21 AM > Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX > > > http://www.ISAserver.org > > > Look for default.ida?XXX for a quick count. 69 against my ISA server so > far. Uses IP addresses, so as long as your web publishing is name > based, it'll still go splat. If this guy had been intelligent to do > reverse DNS lookups, then hit the DNS name, some would wind up getting > through, and (presumably :-) go splat against the patch installed. Or > the fact that one has removed the index server script mappings, unless > one is actually using script mappings. :-) > > As usual, Slashdot (http://slashdot.org) has information and lively > discussion on this very topic. > > -----Original Message----- > From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Sent: Sunday, August 05, 2001 12:10 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX > > > http://www.ISAserver.org > > > Hi Hugo, > > Thanks for the heads-up. I'll look for signs of this in my Web Proxy > logs. > > Tom > www.isaserver.org/shinder > > > Thomas W Shinder, M.D., MCSE, MCT > > > > -----Original Message----- > From: Hugo Caye [mailto:Hugo@xxxxxxxxxxxxx] > Sent: Saturday, August 04, 2001 10:59 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] FW: Alert: New version of Code Red, XXXX > > > http://www.ISAserver.org > > > > FYI > > -----Original Message----- > From: Russ [mailto:Russ.Cooper@xxxxxxxx] > Sent: domingo, 5 de agosto de 2001 00:48 > To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx > Subject: Alert: New version of Code Red, XXXX > > > -----BEGIN PGP SIGNED MESSAGE----- > > Just a quick FYI, there is a new version of Code Red which appears to > be spreading rather rapidly. > > - - Appears to be a new re-write. > > - - Drops some sort of remote access trojan. > > - - Turns off System File Checker (Windows File Protection.) > > - - Moves CMD.EXE to the scripts directory in IIS > > - - Looks like the way they make the entry into code very differently > than before. > > - - If your IDS is looking for "NNNN", forget it (but then you should > have been shot if you used this string anyway) > > Cheers, > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > p.s. if we don't respond right away its because we're now going to go > and light the fireworks here at my retreat. Might as well have lots > of fireworks tonight! > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.2 > > iQCVAwUBO2zCARBh2Kw/l7p5AQH95wQAqjGp7vRYK8SYky/ydyU1wxBmCe2c8Mpd > DBdxrv+TY9112ZuH663ZspUOXThS9oeEyT4sdbVYNv8Z28nMipbioyTXYa5dw8po > 21tkilo6ZoGX+AmKJ6Kz7WDvMpHpEfzDr3JHGtxuev0/rclXeRSN4urypMR3YnRz > uw5ZW/F3U/I= > =OhCV > -----END PGP SIGNATURE----- > > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > slebrun@xxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: strangconst@xxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')