Security Incidents mailing list archives

Re: A new Code Red variant

From: "jason" <jpotopa () qwest net>
Date: Wed, 1 Aug 2001 14:36:18 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

correct me if I'm wrong, but the sadmind worm will infect solaris
sadmind, then look to infect iis.  the iis infection is just a
defacement and no propigation code is on the iis server.  If what
we're seeing is an infected iis box, scanning to infect someone else,
this would be new.  

If I'm off my rocker, someone hit me.

Jason Potopa

- ----- Original Message ----- 
From: "Andrew Cardwell" <acardwell () btinternet com>
To: "Scott Wunsch" <bugtraq () tracking wunsch org>;
<incidents () securityfocus com>
Sent: Wednesday, August 01, 2001 11:03 AM
Subject: RE: A new Code Red variant

Interestingly when I view this page my virus checker (Norton) says
that the backdoor sadmind.dr is included in the temporary files
downloaded when I viewed the webpage (IE).

Scott - you may want to check your mirror.


--
Andrew Cardwell (CISSP/SSCP) - acardwell () btinternet com
Mobile: +44 7092 028 865 - Home Office: +44 1353 659274

-----Original Message-----
From: Scott Wunsch [mailto:bugtraq () tracking wunsch org]
Sent: Wednesday, August 01, 2001 8:07 PM
To: incidents () securityfocus com
Subject: A new Code Red variant

Glancing at my Apache logs, I noticed what looked like a typical
Code Red hit at 11:50:59 CST from 61.141.213.162 (which resolves
to a name in .cn). I fired up my web browser and pointed it at
that IP, wondering whether it was defaced by CRv1, or looked
normal (i.e., CRv2).

It appears likely to be defaced, all right, but not with the
usual CRv1 message.  Could we have yet another new strain out
there?

In case the box has been cleaned up, I mirrored the defaced page
at <http://www.wunsch.org/mirrors/codered/>.  The text is as
follows, in red on a black background:

fuck CHINA Government

fuck PoizonBOx

contact:sysadmcn () yahoo com cn


--
Take care,
Scott \\'unsch

... St... St... Stu... St... Stuttering Ta... Tagline.



--------------------------------------------------------------------
-------- This list is provided by the SecurityFocus ARIS analyzer
service.
For more information on this free incident handling, management

and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO2h2UVL3u0OElmjPEQKnyQCg79J37hNtVdA+OS7dOIyhyIjylaEAmweh
UlSo/k5vRiSKp6gcCTp0u7gy
=A4YT
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

A new Code Red variant Scott Wunsch (Aug 01)
- Re: A new Code Red variant Blake Frantz (Aug 01)
- RE: A new Code Red variant JKruser (Aug 01)
- RE: A new Code Red variant Andrew Cardwell (Aug 01)
  - Re: A new Code Red variant Scott Wunsch (Aug 01)
  - Re: A new Code Red variant jason (Aug 01)
    - Re: A new Code Red variant Daniel Harrison (Aug 01)
- <Possible follow-ups>
- RE: A new Code Red variant Steve Halligan (Aug 01)
  - Apache Logs and Code Red andrew (Aug 01)