At 05:40 PM 7/20/01 -0400, you wrote: >On Fri, Jul 20, 2001 at 12:15:46PM -0600, Don Papp spake thusly: > > I wonder if I have seen this variant - a person I emailed has a > > server whose web pages served looks a lot like the Code Red worm's output > > (1 line of simple html) displaying > > > > FUCK CHINA GOVERNENT > > and p0isonb0x (or something like that) > > > > On a black background. The web files themselves are untouched. > >I think this was something else - maybe a similar worm, but it used >a different attack: > >"GET >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\ > >shell.exe" 404 - That's a unicode hack that exploits the /scripts/ directory. By default IIS installation, /scripts/ has "execute" as its permission, and a bug in microsofts IIS, unicode can be passed in, and cmd.exe can be executed, allowing intruder full system access. For more info: http://www.sans.org/y2k/unicode.htm Ilya Zherebetskiy Brainlink Development >The machine that sent that to me had that same web page up, and I >also got one from a different IP (on the same subnet) a few hours >before that. That was a week ago though - July 13... > >-- >Jon-o Addleman ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 21:40:54 PDT