Security Incidents mailing list archives

RE: http://www.worm.com/default.ida? requests

From: "Johnston, Jack" <JohnstonJ () mtmc army mil>
Date: Wed, 1 Aug 2001 14:06:26 -0400

It was a web site the Code Red Worm sent data to, once it infected a
machine.
It was part of the CR script.  Site has been shut down a while ago.
Part of the CR script:
<snip>

0x0370   7369 7a65 3d35 3e3c 666f 6e74 2063 6f6c        size=5><font.col
0x0380   6f72 3d22 7265 6422 3e3c 7020 616c 6967        or="red"><p.alig
0x0390   6e3d 2263 656e 7465 7222 3e57 656c 636f        n="center">Welco
0x03a0   6d65 2074 6f20 6874 7470 3a2f 2f77 7777        me.to.http://www
0x03b0   2e77 6f72 6d2e 636f 6d20 213c 6272 3e3c        .worm.com.!<br><
0x03c0   6272 3e48 6163 6b65 6420 4279 2043 6869        br>Hacked.By.Chi
0x03d0   6e65 7365 213c 2f66 6f6e 743e 3c2f 6872        nese!</font></hr
0x03e0   3e3c 2f62 6164 793e 3c2f 6874 6d6c 3e20        ></bady></html>.

<snip>

Jack Johnston
Information Assurance Manager
Information Warfare Officer
member:  AVIEN
http://www.avien.org/earlywarning.html



----Original Message-----
From: Sean Kelly [mailto:lists () shortestpath org]
Sent: Wednesday, August 01, 2001 11:36 AM
To: incidents () securityfocus com
Subject: http://www.worm.com/default.ida? requests


        My webcache is having a massive ammount of requests for
http://www.worm.com/default.ida?.  Is this an infected machine trying to
scan, or is this a scanner trying to detect compromised hosts?

        I have found a reference to www.worm.com in a document saying it
is part of the text placed on the homepage of a web server that has been
defaced by Code Red.

        Thanks,

--
Sean Kelly


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

http://www.worm.com/default.ida? requests Sean Kelly (Aug 01)
- Re: http://www.worm.com/default.ida? requests Robin Stevens (Aug 01)
  - RE: http://www.worm.com/default.ida? requests Marc Maiffret (Aug 01)
- <Possible follow-ups>
- RE: http://www.worm.com/default.ida? requests Johnston, Jack (Aug 01)