[TCLUG] AT&T/Mediaone does it again?

[Callum Lerwick]

> Are you sure?  I'm seeing `200' responses when I get a Code Red II request
> (Code Red gives `400's, OTOH), which would seem to indicate it was run.  I
> suppose I have to set up the script to write to its own log so I can get a
> better idea of whether it works or not.
> 
> Also, why would Apache have trouble?  I actually noticed earlier, before I
> put this script up, that Code Red requests were getting 400s, while Code
> Red II requests were getting 404s.  I suppose the two worms handle their
> HTTP connections differently..

Yes, I wrote a script with the purpose of capturing a copy of the virus 
in mind. It worked when I made a request, but wasn't working when the 
real worm came along. I finally packet sniffed until a codered hit came 
along, and discovered what was happening. (And finally captured a copy 
in the process...) Apache was seeing the garbage that was the virus 
body, and tossing back a Bad Request error.

My packet log is even up at http://www.haxxed.com/random/codered.tcpdump.cap

Of course I did this before II came along. Whats up with II? Got a page 
with a nice in depth autopsy for me? ;)