Re: A new Code Red variant

From: jason (jpotopaat_private)
Date: Wed Aug 01 2001 - 14:36:18 PDT

Next message: corecode: "RE: Possible method to prevent spread of CodeRed and other simila r wo rms"

Previous message: Alfred Huger: "Current numbers - Code Red"
In reply to: Andrew Cardwell: "RE: A new Code Red variant"
Next in thread: Daniel Harrison: "Re: A new Code Red variant"
Reply: Daniel Harrison: "Re: A new Code Red variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

correct me if I'm wrong, but the sadmind worm will infect solaris
sadmind, then look to infect iis.  the iis infection is just a
defacement and no propigation code is on the iis server.  If what
we're seeing is an infected iis box, scanning to infect someone else,
this would be new.  

If I'm off my rocker, someone hit me.

Jason Potopa

- ----- Original Message ----- 
From: "Andrew Cardwell" <acardwellat_private>
To: "Scott Wunsch" <bugtraqat_private>;
<incidentsat_private>
Sent: Wednesday, August 01, 2001 11:03 AM
Subject: RE: A new Code Red variant


> Interestingly when I view this page my virus checker (Norton) says
> that the backdoor sadmind.dr is included in the temporary files
> downloaded when I viewed the webpage (IE).
> 
> Scott - you may want to check your mirror.
> 
> 
> --
> Andrew Cardwell (CISSP/SSCP) - acardwellat_private
> Mobile: +44 7092 028 865 - Home Office: +44 1353 659274
> 
> > -----Original Message-----
> > From: Scott Wunsch [mailto:bugtraqat_private]
> > Sent: Wednesday, August 01, 2001 8:07 PM
> > To: incidentsat_private
> > Subject: A new Code Red variant
> >
> >
> > Glancing at my Apache logs, I noticed what looked like a typical
> > Code Red hit at 11:50:59 CST from 61.141.213.162 (which resolves
> > to a name in .cn). I fired up my web browser and pointed it at
> > that IP, wondering whether it was defaced by CRv1, or looked
> > normal (i.e., CRv2).
> >
> > It appears likely to be defaced, all right, but not with the
> > usual CRv1 message.  Could we have yet another new strain out
> > there?
> >
> > In case the box has been cleaned up, I mirrored the defaced page
> > at <http://www.wunsch.org/mirrors/codered/>.  The text is as
> > follows, in red on a black background:
> >
> > > fuck CHINA Government
> > >
> > > fuck PoizonBOx
> > >
> > > contact:sysadmcnat_private
> >
> > --
> > Take care,
> > Scott \\'unsch
> >
> > ... St... St... Stu... St... Stuttering Ta... Tagline.
> >
> 
> 
> --------------------------------------------------------------------
> -------- This list is provided by the SecurityFocus ARIS analyzer
> service.
> For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO2h2UVL3u0OElmjPEQKnyQCg79J37hNtVdA+OS7dOIyhyIjylaEAmweh
UlSo/k5vRiSKp6gcCTp0u7gy
=A4YT
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: corecode: "RE: Possible method to prevent spread of CodeRed and other simila r wo rms"
Previous message: Alfred Huger: "Current numbers - Code Red"
In reply to: Andrew Cardwell: "RE: A new Code Red variant"
Next in thread: Daniel Harrison: "Re: A new Code Red variant"
Reply: Daniel Harrison: "Re: A new Code Red variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 14:23:29 PDT