It was a web site the Code Red Worm sent data to, once it infected a machine. It was part of the CR script. Site has been shut down a while ago. Part of the CR script: <snip> > 0x0370 7369 7a65 3d35 3e3c 666f 6e74 2063 6f6c size=5><font.col > 0x0380 6f72 3d22 7265 6422 3e3c 7020 616c 6967 or="red"><p.alig > 0x0390 6e3d 2263 656e 7465 7222 3e57 656c 636f n="center">Welco > 0x03a0 6d65 2074 6f20 6874 7470 3a2f 2f77 7777 me.to.http://www > 0x03b0 2e77 6f72 6d2e 636f 6d20 213c 6272 3e3c .worm.com.!<br>< > 0x03c0 6272 3e48 6163 6b65 6420 4279 2043 6869 br>Hacked.By.Chi > 0x03d0 6e65 7365 213c 2f66 6f6e 743e 3c2f 6872 nese!</font></hr > 0x03e0 3e3c 2f62 6164 793e 3c2f 6874 6d6c 3e20 ></bady></html>. <snip> Jack Johnston Information Assurance Manager Information Warfare Officer member: AVIEN http://www.avien.org/earlywarning.html ----Original Message----- From: Sean Kelly [mailto:listsat_private] Sent: Wednesday, August 01, 2001 11:36 AM To: incidentsat_private Subject: http://www.worm.com/default.ida? requests My webcache is having a massive ammount of requests for http://www.worm.com/default.ida?. Is this an infected machine trying to scan, or is this a scanner trying to detect compromised hosts? I have found a reference to www.worm.com in a document saying it is part of the text placed on the homepage of a web server that has been defaced by Code Red. Thanks, -- Sean Kelly ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 11:24:37 PDT