[21753] in bugtraq
Re: "Code Red" worm - there MUST be at least two versions.
daemon@ATHENA.MIT.EDU (Jon-o Addleman)
Fri Jul 20 18:20:14 2001
Date: Fri, 20 Jul 2001 17:40:06 -0400
From: Jon-o Addleman <jonathan.addleman@mcgill.ca>
To: bugtraq@securityfocus.com
Message-ID: <20010720174006.A18026@redowl.penguinpowered.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.10.10107201210510.26692-100000@diehumans.aeinnovations.com>
On Fri, Jul 20, 2001 at 12:15:46PM -0600, Don Papp spake thusly:
> I wonder if I have seen this variant - a person I emailed has a
> server whose web pages served looks a lot like the Code Red worm's output
> (1 line of simple html) displaying
>
> FUCK CHINA GOVERNENT
> and p0isonb0x (or something like that)
>
> On a black background. The web files themselves are untouched.
I think this was something else - maybe a similar worm, but it used
a different attack:
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\
shell.exe" 404 -
The machine that sent that to me had that same web page up, and I
also got one from a different IP (on the same subnet) a few hours
before that. That was a week ago though - July 13...
--
Jon-o Addleman
