RE: FW: Alert: New version of Code Red, XXXX

Nope, the destination set of www.dsl-207.153.185.170.zipcon.net wouldn't
match dsl-207.153.185.170.zipcon.net in the request.  GOD I love how the ISA
devs think!


Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "Mark Strangways" <strangconst@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, August 05, 2001 7:52 AM
Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX


http://www.ISAserver.org


Unless of course your web site happens to be named ..
www.dsl-207.153.185.170.zipcon.net

That would get you there no ?
Mark

----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, August 05, 2001 10:41 AM
Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX


> http://www.ISAserver.org
>
>
> The kewl thing about DNS rev-resolution is that with DSL and cable-based
> connections, the reverse resolution is handled by the ISP, providing an
> unusable destination.  For instance, this is what you get when you try to
> rev-resolve me with a ping:
> ping -a 207.153.185.170
> Pinging dsl-207-153-185-170.zipcon.net [207.153.185.170] with 32 bytes of
> data:
> Go ahead; hit me with
> http://dsl-207.153.185.170.zipcon.net/default.ida?<whatever> and see how
far
> you get.
>
> Granted, a smarter script kiddie would whois me and figure out my zones,
but
> there's the rub; more effort involved for the scripter.  These guys are
> generally lazy and go for the mass destruction effect, not the surgical
> strike.  The new IP-based connection is just an easy by-product of the IP
> generator that they use to begin with.
>
> As far as what characters they use for the buffer overflow, that's
> irrelevant and anyone depending on that for the hack signature is just
> buying time at a high price.  The easiest thing to do is to remove the
.ida
> feature of the web site to begin with.
>
> Check these out for detailed info on reactive and proactive measures:
> http://www.digitalisland.net/codered/CodeRed.mp3
> http://www.digitalisland.net/codered/CodeRed.pdf
> http://www.digitalisland.net/codered/CodeRed.ppt
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: "Shayne Lebrun" <slebrun@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Sunday, August 05, 2001 5:21 AM
> Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX
>
>
> http://www.ISAserver.org
>
>
> Look for default.ida?XXX for a quick count.  69 against my ISA server so
> far.  Uses IP addresses, so as long as your web publishing is name
> based, it'll still go splat.  If this guy had been intelligent to do
> reverse DNS lookups, then hit the DNS name, some would wind up getting
> through, and (presumably :-) go splat against the patch installed.  Or
> the fact that one has removed the index server script mappings, unless
> one is actually using script mappings. :-)
>
> As usual, Slashdot (http://slashdot.org) has information and lively
> discussion on this very topic.
>
> -----Original Message-----
> From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Sent: Sunday, August 05, 2001 12:10 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX
>
>
> http://www.ISAserver.org
>
>
> Hi Hugo,
>
> Thanks for the heads-up. I'll look for signs of this in my Web Proxy
> logs.
>
> Tom
> www.isaserver.org/shinder
>
>
> Thomas W Shinder, M.D., MCSE, MCT
>
>
>
> -----Original Message-----
> From: Hugo Caye [mailto:Hugo@xxxxxxxxxxxxx]
> Sent: Saturday, August 04, 2001 10:59 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] FW: Alert: New version of Code Red, XXXX
>
>
> http://www.ISAserver.org
>
>
>
> FYI
>
> -----Original Message-----
> From: Russ [mailto:Russ.Cooper@xxxxxxxx]
> Sent: domingo, 5 de agosto de 2001 00:48
> To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Alert: New version of Code Red, XXXX
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Just a quick FYI, there is a new version of Code Red which appears to
> be spreading rather rapidly.
>
> - - Appears to be a new re-write.
>
> - - Drops some sort of remote access trojan.
>
> - - Turns off System File Checker (Windows File Protection.)
>
> - - Moves CMD.EXE to the scripts directory in IIS
>
> - - Looks like the way they make the entry into code very differently
> than before.
>
> - - If your IDS is looking for "NNNN", forget it (but then you should
> have been shot if you used this string anyway)
>
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
>
> p.s. if we don't respond right away its because we're now going to go
> and light the fireworks here at my retreat. Might as well have lots
> of fireworks tonight!
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.2
>
> iQCVAwUBO2zCARBh2Kw/l7p5AQH95wQAqjGp7vRYK8SYky/ydyU1wxBmCe2c8Mpd
> DBdxrv+TY9112ZuH663ZspUOXThS9oeEyT4sdbVYNv8Z28nMipbioyTXYa5dw8po
> 21tkilo6ZoGX+AmKJ6Kz7WDvMpHpEfzDr3JHGtxuev0/rclXeRSN4urypMR3YnRz
> uw5ZW/F3U/I=
> =OhCV
> -----END PGP SIGNATURE-----
>
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> slebrun@xxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
strangconst@xxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')




Other related posts: