Interestingly when I view this page my virus checker (Norton) says that the backdoor sadmind.dr is included in the temporary files downloaded when I viewed the webpage (IE). Scott - you may want to check your mirror. -- Andrew Cardwell (CISSP/SSCP) - acardwellat_private Mobile: +44 7092 028 865 - Home Office: +44 1353 659274 > -----Original Message----- > From: Scott Wunsch [mailto:bugtraqat_private] > Sent: Wednesday, August 01, 2001 8:07 PM > To: incidentsat_private > Subject: A new Code Red variant > > > Glancing at my Apache logs, I noticed what looked like a typical Code Red > hit at 11:50:59 CST from 61.141.213.162 (which resolves to a name in .cn). > I fired up my web browser and pointed it at that IP, wondering whether it > was defaced by CRv1, or looked normal (i.e., CRv2). > > It appears likely to be defaced, all right, but not with the usual CRv1 > message. Could we have yet another new strain out there? > > In case the box has been cleaned up, I mirrored the defaced page at > <http://www.wunsch.org/mirrors/codered/>. The text is as follows, in red > on a black background: > > > fuck CHINA Government > > > > fuck PoizonBOx > > > > contact:sysadmcnat_private > > -- > Take care, > Scott \\'unsch > > ... St... St... Stu... St... Stuttering Ta... Tagline. > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 12:28:17 PDT