http://www.incidents.org/react/code_redII.php For more fun reading... Kris -----Original Message----- From: Raan Young [mailto:raan@graand-visions.com] Sent: Sunday, August 05, 2001 10:12 AM To: CRIME List Subject: more Code Red activity This might be of interest.... Supposedly, a new version of the Code Red worm is going around with a different search strategy, where it spends most of its time (7 out of every 8 tries) probing hosts in its own subnet (which, for a large ISP, can still be millions), and the remaining eighth time trying a random address. As before it's an IIS-specific attack. This time, someone's noticed this additional feature: In this discussion: http://arstechnica.infopop.net/OpenTopic/page?a=tpc&s=50009562&f=96509133&m= 6400900342 Is noted this new twist: Just discovered something interesting... telnet <Code Red infected host> 80 type GET /scripts/root.exe HTTP/1.0 and you have a command prompt.. Followed by: If you point your browser to the IP [of Code Red infected server] and get a "UNDER CONTRUCTION" message then the root.exe shell will work.. if you get a 403. "TOO MANY CONNECTIONS" it wont work. Raan Young
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:09 PDT