Re: analysis
From: Pete Sherwood (petersherwood@home.com)Date: 08/01/01
- Previous message: gminick: "Re: advice"
- In reply to: CMC: "analysis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <005401c11a86$b73f3fc0$0d01a8c0@slnt1.on.wave.home.com> From: "Pete Sherwood" <petersherwood@home.com> To: "CMC" <nio@digital-extreme.net> Subject: Re: analysis Date: Wed, 1 Aug 2001 08:37:23 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ----- Original Message -----
From: "CMC" <nio@digital-extreme.net>
> Hello everyone, I've signed on to this list and would like to know if if
> a analysis of the code red worm was posted to fellow listers. If so
> would someone be kind enough to email it to me in private or point me
> off in the right direction to obtain it for review?
You may find additional information and help
at one or more of the following web sites:
Recommendations from members of alt.comp.virus:
<http://claymania.com/nav-map.html>
Command AntiVirus <http://www.commandcom.com>
F-Prot for Windows (version 3.09) <http://www.complex.is>
F-Prot version 3.10 <http://www.frisk.is/f-prot/products/fpdos.html>
F-Secure Anti-Virus <http://www.f-secure.com>
InVircible Anti-Virus Software <http://invircible.com>
Kaspersky AntiVirus (Formerly AVP) <http://www.kaspersky.com>
McAfee/NAI: <http://vil.nai.com>
Nod32 Anti-Virus System <http://www.nod32.com>
Norman Virus Control <http://www.norman.com>
Sophos AntiVirus <http://www.sophos.com>
Symantec <http://sarc.com>
Trend: <http://antivirus.com>
==== end of paste =====
Pay close attention to Ken's last statement!!!!!
From: "Ken Pfeil" <Ken@infosec101.org>
To: <security-basics@securityfocus.com>
Sent: Tuesday, July 31, 2001 12:53 PM
Subject: RE: Code Red Question
> No. This is incorrect. You do not need to have Index server installed and
> running. If you have the ISAPI mappings enabled for .ida and .idq
> extensions on an unpatched server, and people can establish a web
> session, you are
> vulnerable. There's a lot of misreporting being done in the press about
> this, and even CERT's information appears to be incorrect.
>
> From
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
> y/ bulletin/ms01-033.asp
>
> "The buffer overrun occurs before any indexing functionality is
> requested. As a result, even though idq.dll is a component of Index
> Server/Indexing Service, the service would not need to be running in
> order for an attacker to exploit the vulnerability. As long as the script
> mapping for .idq or .ida files were present, and the attacker were able
> to establish a web session, he could exploit the vulnerability."
>
> Don't believe everything you read ;-)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Even when you read it on the AntiVirus Vendor web sites!!!!!
Pete Sherwood
613-260-0612 (home/office)
613-591-8900 ext. 525 (voice-mail)
PGP and Thawte digital keys available @
http://members.home.net/petersherwood/
Founding member of http://AVIEN.org
Anti-Virus Information Exchange Network
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBO2f35romytMtxLfsEQJUYgCeLw5JQBDBO3WMRa5tAlyTE1/7q/oAnjBI
vx0NgPGgfZ6/INdybDm9BmzA
=pT+k
-----END PGP SIGNATURE-----
- Previous message: gminick: "Re: advice"
- In reply to: CMC: "analysis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
