[Snort-users] local codered infection

Ryan Russell ryan at ...35...
Wed Feb 6 12:33:04 EST 2002

On Wed, 6 Feb 2002, Phil Wood wrote:

> > CodeRed.b is the only active one out there at the moment.  It doesn't
> > contain the string "cmd.exe".  That was Codered II (CodeRed.c and
> > CodeRed.d).
> For what it's worth, I saw 113,281 WEB-IIS cmd.exe accesses yesterday.

I should have said "the only active Code Red out there at the moment."
Yours would be Nimda, and possibly a few Sadmind and manual attempts.  The
original poster was only asking about Code Red, but Nimda is certainly
worth mentioning in this context.  Sorry for the omission.


More information about the Snort-users mailing list