Re: "Code Red" worm - there MUST be at least two versions.

From: Ilya Zherebetskiy (webmasterat_private)
Date: Mon Jul 23 2001 - 16:30:32 PDT

  • Next message: Jonathan A. Zdziarski: "Weird Web Requests"

    At 05:40 PM 7/20/01 -0400, you wrote:
    >On Fri, Jul 20, 2001 at 12:15:46PM -0600, Don Papp spake thusly:
    > >       I wonder if I have seen this variant - a person I emailed has a
    > > server whose web pages served looks a lot like the Code Red worm's output
    > > (1 line of simple html) displaying
    > >
    > >       FUCK CHINA GOVERNENT
    > >       and p0isonb0x (or something like that)
    > >
    > >       On a black background.  The web files themselves are untouched.
    >
    >I think this was something else - maybe a similar worm, but it used
    >a different attack:
    >
    >"GET 
    >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\ 
    >
    >shell.exe" 404 -
    
    That's a unicode hack that exploits the /scripts/ directory.  By default 
    IIS installation, /scripts/ has "execute" as its permission, and a bug in 
    microsofts IIS, unicode can be passed in, and cmd.exe can be executed, 
    allowing intruder full system access.
    
    For more info:
    http://www.sans.org/y2k/unicode.htm
    
    Ilya Zherebetskiy
    Brainlink Development
    
    >The machine that sent that to me had that same web page up, and I
    >also got one from a different IP (on the same subnet) a few hours
    >before that. That was a week ago though - July 13...
    >
    >--
    >Jon-o Addleman
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 21:40:54 PDT