Re: Code Red - A Possible Origin?

From: Mike Lewinski (mikeat_private)
Date: Fri Aug 24 2001 - 13:09:12 PDT

Next message: axess: "Re: Re : Large scale scan of port 2401"

Previous message: David Bronder: "Re: [incidents] Re: Re : Large scale scan of port 2401"
In reply to: Michal Nazarewicz: "RE: Code Red - A Possible Origin?"
Next in thread: Michael J. Cannon: "Re: Code Red - A Possible Origin?"
Next in thread: Michael J. Cannon: "Re: Code Red - A Possible Origin?"
Reply: Michael J. Cannon: "Re: Code Red - A Possible Origin?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

$ telnet tao.ca www
GET /~wrench/bloc/news/07_19_01.html HTTP/1.1

HTTP/1.1 200 OK
Date: Fri, 24 Aug 2001 19:47:42 GMT
Server: Apache
Last-Modified: Fri, 20 Jul 2001 01:52:42 GMT
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The server appears to be located in the Toronto area which I believe
is -0400 GMT. If it hasn't been monkeyed with, the Last-Modified tag
places the document's creation time around 9:50pm local time on the 19th
of July.

The original Eeye advisory containing details about the worm's
"whitehouse attack mode" was released two days earlier, on the 17th of
July. I'd be a lot more inclined to believe the claim of responsibility
if Apache was giving a 'last-modified' tag earlier than that date. By
the posting date it was already public knowledge.

Mike

----- Original Message -----
From: "Michal Nazarewicz" <m.nazarewiczat_private>
To: "'Michael J. Cannon'" <mcannonat_private>;
<incidentsat_private>
Sent: Friday, August 24, 2001 1:42 AM
Subject: RE: Code Red - A Possible Origin?


> > Tongue VERY firmly in cheek here, gang.  Let's not mistake a
> > group's target
> > of opportunity for the real thing.  But it's interesting that
> > somone would
> > have the balls to claim responsibility, no matter how indirectly.
>
> ...let's also add that there is a message written in black on black
> background which says:
>
> red worm denial-of-service dos code welcome to http://www.worm.com!
Hacked
> by Chinese - xo ha
>
>
>
> ----------------------------------------------------------------------
------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: axess: "Re: Re : Large scale scan of port 2401"
Previous message: David Bronder: "Re: [incidents] Re: Re : Large scale scan of port 2401"
In reply to: Michal Nazarewicz: "RE: Code Red - A Possible Origin?"
Next in thread: Michael J. Cannon: "Re: Code Red - A Possible Origin?"
Next in thread: Michael J. Cannon: "Re: Code Red - A Possible Origin?"
Reply: Michael J. Cannon: "Re: Code Red - A Possible Origin?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 12:53:54 PDT