Apache Logs and Code Red

From: andrew (a_weisburdat_private)
Date: Wed Aug 01 2001 - 12:29:31 PDT

Next message: Daniel Harrison: "Re: A new Code Red variant"

Previous message: Ken Lyon: "Re: I will start posting summaries."
In reply to: Steve Halligan: "RE: A new Code Red variant"
Next in thread: Blake Frantz: "Re: A new Code Red variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Compare the entries in the apache error log with those of the access log.

The CodeRed entries in the apache access log will have the telltale 
'default.ida' stuff

The apache error log is a quicker read, but will only say:
[Wed Aug  1 12:11:01 2001] [error] [client 200.41.239.162] Client sent 
malformed Host header
And sadmind and CodeRed seem to share this error message.

Pardon me while read the latest SirCam attachment to show up in my inbox..
.

Andrew


On Wednesday, August 1, 2001, at 01:29 , Steve Halligan wrote:

> This is the sadmind worm.
>
>> -----Original Message-----
>> From: Scott Wunsch [mailto:bugtraqat_private]
>> Sent: Wednesday, August 01, 2001 1:07 PM
>> To: incidentsat_private
>> Subject: A new Code Red variant
>>
>>
>> Glancing at my Apache logs, I noticed what looked like a
>> typical Code Red
>> hit at 11:50:59 CST from 61.141.213.162 (which resolves to a
>> name in .cn).
>> I fired up my web browser and pointed it at that IP,
>> wondering whether it
>> was defaced by CRv1, or looked normal (i.e., CRv2).
>>
>> It appears likely to be defaced, all right, but not with the
>> usual CRv1
>> message.  Could we have yet another new strain out there?
>>
>> In case the box has been cleaned up, I mirrored the defaced page at
>> <http://www.wunsch.org/mirrors/codered/>.  The text is as
>> follows, in red
>> on a black background:
>>
>>> fuck CHINA Government
>>>
>>> fuck PoizonBOx
>>>
>>> contact:sysadmcnat_private
>>
>> --
>> Take care,
>> Scott \\'unsch
>>
>> ... St... St... Stu... St... Stuttering Ta... Tagline.
>>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
> QUIT

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Daniel Harrison: "Re: A new Code Red variant"
Previous message: Ken Lyon: "Re: I will start posting summaries."
In reply to: Steve Halligan: "RE: A new Code Red variant"
Next in thread: Blake Frantz: "Re: A new Code Red variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 14:32:05 PDT