[21745] in bugtraq
Re: "Code Red" worm - there MUST be at least two versions.
daemon@ATHENA.MIT.EDU (Don Papp)
Fri Jul 20 17:28:04 2001
Date: Fri, 20 Jul 2001 12:15:46 -0600 (MDT)
From: Don Papp <donp@aeinnovations.com>
To: bugtraq@securityfocus.com
In-Reply-To: <v3mgltglpdkhab6do1ai2vvpqb2ufb7g6h@4ax.com>
Message-ID: <Pine.LNX.4.10.10107201210510.26692-100000@diehumans.aeinnovations.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 20 Jul 2001, Chris Paget wrote:
> Secondly, can someone capture a copy of this second variant and
> dis-assemble it?
>
> I intend to add egress filters to one of my servers and allow it to
> become infected; if anyone wants to volunteer to help me pick it apart
> afterwards it would be appreciated.
I wonder if I have seen this variant - a person I emailed has a
server whose web pages served looks a lot like the Code Red worm's output
(1 line of simple html) displaying
FUCK CHINA GOVERNENT
and p0isonb0x (or something like that)
On a black background. The web files themselves are untouched.
Actually I have the source of what it spits out:
<html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p
align="center"><font size=7 color=red>fuck CHINA
Government</font><tr><td><p align="center"><font size=7 color=red>fuck
PoizonBOx<tr><td><p align="center"><font size=4
color=red>contact:sysadmcn@yahoo.com.cn</html>
I've asked that he do a few things (including check for
outbound connections to port 80s of random IPs, patch, reboot, etc) but
haven't heard from him yet - his site is no longer up either.
Don P
http://aeinnovations.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7WHVT2KCg0hzfOnQRAkX9AKCatgkSAUQEugcNbpcw2UHaWNgMLgCfaC2R
Id2u7spws0eFvrx6Qmn23rg=
=ufnI
-----END PGP SIGNATURE-----
