-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 20 Jul 2001, Chris Paget wrote: > Secondly, can someone capture a copy of this second variant and > dis-assemble it? > > I intend to add egress filters to one of my servers and allow it to > become infected; if anyone wants to volunteer to help me pick it apart > afterwards it would be appreciated. I wonder if I have seen this variant - a person I emailed has a server whose web pages served looks a lot like the Code Red worm's output (1 line of simple html) displaying FUCK CHINA GOVERNENT and p0isonb0x (or something like that) On a black background. The web files themselves are untouched. Actually I have the source of what it spits out: <html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p align="center"><font size=7 color=red>fuck CHINA Government</font><tr><td><p align="center"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcnat_private</html> I've asked that he do a few things (including check for outbound connections to port 80s of random IPs, patch, reboot, etc) but haven't heard from him yet - his site is no longer up either. Don P http://aeinnovations.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7WHVT2KCg0hzfOnQRAkX9AKCatgkSAUQEugcNbpcw2UHaWNgMLgCfaC2R Id2u7spws0eFvrx6Qmn23rg= =ufnI -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 14:14:16 PDT