Re: IIS4 & Code Red?

From: Ryan Permeh (ryan@eEye.com)
Date: 07/26/01


Message-ID: <010701c11604$10766780$1e01a8c0@eCompany.gov>
From: "Ryan Permeh" <ryan@eEye.com>
To: "Dave Loschiavo" <davel@ecst.csuchico.edu>, <focus-ms@securityfocus.com>
Subject: Re: IIS4 & Code Red?
Date: Thu, 26 Jul 2001 11:52:05 -0700

the offsets in all currently analyzed versions of CodeRed are wrong for nt
4/iis4. it causes a halt in service, rather than infecting and spreading.
The vulnerability DOES exist on nt 4, though, so if correct offsets were
applied, an nt4 worm od CodeRed caliber would be possible.

Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: "Dave Loschiavo" <davel@ecst.csuchico.edu>
To: <focus-ms@securityfocus.com>
Sent: Thursday, July 26, 2001 7:22 AM
Subject: IIS4 & Code Red?

> Anyone out there actually see (first hand) an IIS4 box that was
> compromised by Code Red? I know it will affect IIS5, and the alerts say it
> affects IIS4 and IIS5, but I'd like to know if anyone actually saw an IIS4
> box get hit.
>
>