RE: more Code Red activity

From: Kris Quinby (kquinby@private)
Date: Mon Aug 06 2001 - 09:56:36 PDT

  • Next message: Jeffrey_Korte/HR/FCNB/Spgla@private: "Advisory Notice: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm Virus"

    http://www.incidents.org/react/code_redII.php
    
    For more fun reading...
    
    Kris
    
    -----Original Message-----
    From: Raan Young [mailto:raan@graand-visions.com]
    Sent: Sunday, August 05, 2001 10:12 AM
    To: CRIME List
    Subject: more Code Red activity
    
    
    
    This might be of interest....
    
    Supposedly, a new version of the Code Red worm is going around with a
    different search strategy, where it spends most of its time (7 out of
    every 8 tries) probing hosts in its own subnet (which, for a large
    ISP, can still be millions), and the remaining eighth time trying a
    random address. As before it's an IIS-specific attack.  This time,
    someone's noticed this additional feature:
    
    In this discussion:
    
    http://arstechnica.infopop.net/OpenTopic/page?a=tpc&s=50009562&f=96509133&m=
    6400900342
    
    Is noted this new twist:
       Just discovered something interesting...
    
          telnet <Code Red infected host> 80
    
       type
          GET /scripts/root.exe HTTP/1.0
    
       and you have a command prompt..
    
    Followed by:
        If you point your browser to the IP [of Code Red infected server]
    and get a "UNDER CONTRUCTION" message then the root.exe shell will
    work.. if you get a 403. "TOO MANY CONNECTIONS" it wont work.
    
    
    Raan Young
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:10 PDT