On Fri, 20 Jul 2001, Don Papp wrote: > I wonder if I have seen this variant - a person I emailed has a > server whose web pages served looks a lot like the Code Red worm's output > (1 line of simple html) displaying > > FUCK CHINA GOVERNENT > and p0isonb0x (or something like that) > > On a black background. The web files themselves are untouched. > > Actually I have the source of what it spits out: > > <html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p > align="center"><font size=7 color=red>fuck CHINA > Government</font><tr><td><p align="center"><font size=7 color=red>fuck > PoizonBOx<tr><td><p align="center"><font size=4 > color=red>contact:sysadmcnat_private</html> > I would tend to assume that isn't a variant of the worm. It's certainly not CRv1 or CRv2. The HTML is about 40 bytes longer than that in Code Red, so it would be a bit more than simply changing the HTML code in the worm and relaunching; you'd have to adjust the content length reference, and a number of other items. I would think it's non-trivial. I would think this was a hand-done response to Code Red. Ryan
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 15:05:05 PDT