Bugtraq mailing list archives

Re: "Code Red" worm - there MUST be at least two versions.

From: Jon-o Addleman <jonathan.addleman () mcgill ca>
Date: Fri, 20 Jul 2001 17:40:06 -0400

On Fri, Jul 20, 2001 at 12:15:46PM -0600, Don Papp spake thusly:

      I wonder if I have seen this variant - a person I emailed has a
server whose web pages served looks a lot like the Code Red worm's output
(1 line of simple html) displaying

      FUCK CHINA GOVERNENT
      and p0isonb0x (or something like that)

      On a black background.  The web files themselves are untouched.


I think this was something else - maybe a similar worm, but it used
a different attack:

"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\               
shell.exe" 404 -

The machine that sent that to me had that same web page up, and I
also got one from a different IP (on the same subnet) a few hours
before that. That was a week ago though - July 13... 

-- 
Jon-o Addleman

Current thread:

"Code Red" worm - there MUST be at least two versions. Chris Paget (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Ethan Butterfield (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Don Papp (Jul 20)
  - Re: "Code Red" worm - there MUST be at least two versions. Jon-o Addleman (Jul 20)
  - Re: "Code Red" worm - there MUST be at least two versions. Ryan Russell (Jul 20)
- <Possible follow-ups>
- Re: "Code Red" worm - there MUST be at least two versions. Adam (Jul 20)
- RE: "Code Red" worm - there MUST be at least two versions. Kuo, Jimmy (Jul 20)