This is the sadmind worm. > -----Original Message----- > From: Scott Wunsch [mailto:bugtraqat_private] > Sent: Wednesday, August 01, 2001 1:07 PM > To: incidentsat_private > Subject: A new Code Red variant > > > Glancing at my Apache logs, I noticed what looked like a > typical Code Red > hit at 11:50:59 CST from 61.141.213.162 (which resolves to a > name in .cn). > I fired up my web browser and pointed it at that IP, > wondering whether it > was defaced by CRv1, or looked normal (i.e., CRv2). > > It appears likely to be defaced, all right, but not with the > usual CRv1 > message. Could we have yet another new strain out there? > > In case the box has been cleaned up, I mirrored the defaced page at > <http://www.wunsch.org/mirrors/codered/>. The text is as > follows, in red > on a black background: > > > fuck CHINA Government > > > > fuck PoizonBOx > > > > contact:sysadmcnat_private > > -- > Take care, > Scott \\'unsch > > ... St... St... Stu... St... Stuttering Ta... Tagline. > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 12:05:53 PDT