ASLtechnical
Technical User
Hi,
Does anyone know how to create a filter to check for the CodeRed virus?
Thanks
Does anyone know how to create a filter to check for the CodeRed virus?
Thanks
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
CodeRed
- Thread starter ASLtechnical
- Start date
- Status
Code Red exists only in memory - it isn't written to the hard disk. get the patch from MS, install it and then reboot the machine - this fixes the problem. Unless you have a very large number of servers to check, this may be the simplest method. the worm itself crashes on Win NT - only W2K Pro Server machines are really at risk.
NAI has info here
Maybe someone else here has a custom filter but NAI doesn't list one on their website. It appears that perhaps if you set up a filter for TCP/IP traffic on Port 80 you'll filter for the potential traffic as it's spreading (if in fact it is spreading).
Within the first filter you'd also need to set up a content filter with a hex pattern that matches the following text, which the virus/worm installs onto defaced web pages on the server that it infects - problem is you'll only see it if that page is being downloaded. How about just do a page search on your servers for the text of the HTML code below? Sorry I can't be more specific as I've never tried this.
<html><head><meta http-equiv="Content-Type" content="text/html;
charset=English"><title>HELLO!</title></head><bady><hr size=5><font
color="red"><p align="center">Welcome to !<br><br>Hacked
By Chinese!</font></hr></bady></html>
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
NAI has info here
Maybe someone else here has a custom filter but NAI doesn't list one on their website. It appears that perhaps if you set up a filter for TCP/IP traffic on Port 80 you'll filter for the potential traffic as it's spreading (if in fact it is spreading).
Within the first filter you'd also need to set up a content filter with a hex pattern that matches the following text, which the virus/worm installs onto defaced web pages on the server that it infects - problem is you'll only see it if that page is being downloaded. How about just do a page search on your servers for the text of the HTML code below? Sorry I can't be more specific as I've never tried this.
<html><head><meta http-equiv="Content-Type" content="text/html;
charset=English"><title>HELLO!</title></head><bady><hr size=5><font
color="red"><p align="center">Welcome to !<br><br>Hacked
By Chinese!</font></hr></bady></html>
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
- Status