A new Code Red variant

From: Scott Wunsch (bugtraqat_private)
Date: Wed Aug 01 2001 - 11:06:42 PDT

Next message: Robin Stevens: "Re: http://www.worm.com/default.ida? requests"

Previous message: Johnston, Jack: "RE: http://www.worm.com/default.ida? requests"
Next in thread: Steve Halligan: "RE: A new Code Red variant"
Reply: Steve Halligan: "RE: A new Code Red variant"
Reply: Blake Frantz: "Re: A new Code Red variant"
Reply: JKruser: "RE: A new Code Red variant"
Reply: Andrew Cardwell: "RE: A new Code Red variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Glancing at my Apache logs, I noticed what looked like a typical Code Red
hit at 11:50:59 CST from 61.141.213.162 (which resolves to a name in .cn).
I fired up my web browser and pointed it at that IP, wondering whether it
was defaced by CRv1, or looked normal (i.e., CRv2).

It appears likely to be defaced, all right, but not with the usual CRv1
message.  Could we have yet another new strain out there?

In case the box has been cleaned up, I mirrored the defaced page at
<http://www.wunsch.org/mirrors/codered/>.  The text is as follows, in red
on a black background:

> fuck CHINA Government
> 
> fuck PoizonBOx
> 
> contact:sysadmcnat_private

-- 
Take care,
Scott \\'unsch

... St... St... Stu... St... Stuttering Ta... Tagline.

application/pgp-signature attachment: stored

Next message: Robin Stevens: "Re: http://www.worm.com/default.ida? requests"
Previous message: Johnston, Jack: "RE: http://www.worm.com/default.ida? requests"
Next in thread: Steve Halligan: "RE: A new Code Red variant"
Reply: Steve Halligan: "RE: A new Code Red variant"
Reply: Blake Frantz: "Re: A new Code Red variant"
Reply: JKruser: "RE: A new Code Red variant"
Reply: Andrew Cardwell: "RE: A new Code Red variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 11:26:28 PDT