Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: A new Code Red variant

From: "Andrew Cardwell" <acardwell () btinternet com>
Date: Wed, 1 Aug 2001 20:03:05 +0200
Interestingly when I view this page my virus checker (Norton) says that the
backdoor sadmind.dr is included in the temporary files downloaded when I
viewed the webpage (IE).

Scott - you may want to check your mirror.


--
Andrew Cardwell (CISSP/SSCP) - acardwell () btinternet com
Mobile: +44 7092 028 865 - Home Office: +44 1353 659274


-----Original Message-----
From: Scott Wunsch [mailto:bugtraq () tracking wunsch org]
Sent: Wednesday, August 01, 2001 8:07 PM
To: incidents () securityfocus com
Subject: A new Code Red variant


Glancing at my Apache logs, I noticed what looked like a typical Code Red
hit at 11:50:59 CST from 61.141.213.162 (which resolves to a name in .cn).
I fired up my web browser and pointed it at that IP, wondering whether it
was defaced by CRv1, or looked normal (i.e., CRv2).

It appears likely to be defaced, all right, but not with the usual CRv1
message.  Could we have yet another new strain out there?

In case the box has been cleaned up, I mirrored the defaced page at
<http://www.wunsch.org/mirrors/codered/>.  The text is as follows, in red
on a black background:


fuck CHINA Government

fuck PoizonBOx

contact:sysadmcn () yahoo com cn


--
Take care,
Scott \\'unsch

... St... St... Stu... St... Stuttering Ta... Tagline.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: