Return-Path: <sentto-279987-4274-1010718994-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 10 Jan 2002 19:19:09 -0800 (PST) Received: (qmail 29561 invoked by uid 510); 11 Jan 2002 03:16:52 -0000 Received: from n20.groups.yahoo.com (216.115.96.70) by all.net with SMTP; 11 Jan 2002 03:16:52 -0000 X-eGroups-Return: sentto-279987-4274-1010718994-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.189] by n20.groups.yahoo.com with NNFMP; 11 Jan 2002 03:07:52 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_3); 11 Jan 2002 03:16:34 -0000 Received: (qmail 79533 invoked from network); 11 Jan 2002 03:16:34 -0000 Received: from unknown (216.115.97.172) by m3.grp.snv.yahoo.com with QMQP; 11 Jan 2002 03:16:34 -0000 Received: from unknown (HELO red.all.net) (12.232.72.98) by mta2.grp.snv.yahoo.com with SMTP; 11 Jan 2002 03:16:34 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g0B3HJp31542 for iwar@onelist.com; Thu, 10 Jan 2002 19:17:19 -0800 Message-Id: <200201110317.g0B3HJp31542@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 10 Jan 2002 19:17:19 -0800 (PST) Subject: [iwar] [fc:new.codered.worm.penetrates.content-filtering] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit For a long time I havn't seen codered since we've been using content-screening at the router for blocking the attacks, but suddenly they are showing up again on my IDS. So I was wondering how it is that now they are getting through the content-screening. After waiting for a capture of an attack session (I didn't have to wait long) it seems that the familiar "GET /default.ida*" is now being delievered with the "GET " in a separate packet which appears designed to defeat the web content-screening features of routers and packet shapers. It's been a while, but I don't recall it being split up like that before - and I still get some with the "GET" in the same packet so I'm led to believe there's a new code red variant out there. Can anyone else verify that this is new behaviour? ------------------------ Yahoo! Groups Sponsor ---------------------~--> Sponsored by VeriSign - The Value of Trust Pinpoint the right security solution for your company - FREE Guide from industry leader VeriSign gives you all the facts. http://us.click.yahoo.com/pCuuSA/WdiDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:02 PST