Security Incidents mailing list archives

Re: A new Code Red variant

From: Daniel Harrison <danielh () loudcloud com>
Date: Wed, 01 Aug 2001 14:36:26 -0700

You are correct. The sadmin worm infects a sun box and then launches a unicode
attack against any web server it finds. It only propagates through the sun side.
The is however a different version. The original had fuck usa government.

-dan

jason wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

correct me if I'm wrong, but the sadmind worm will infect solaris
sadmind, then look to infect iis.  the iis infection is just a
defacement and no propigation code is on the iis server.  If what
we're seeing is an infected iis box, scanning to infect someone else,
this would be new.

If I'm off my rocker, someone hit me.

Jason Potopa



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

A new Code Red variant Scott Wunsch (Aug 01)
- Re: A new Code Red variant Blake Frantz (Aug 01)
- RE: A new Code Red variant JKruser (Aug 01)
- RE: A new Code Red variant Andrew Cardwell (Aug 01)
  - Re: A new Code Red variant Scott Wunsch (Aug 01)
  - Re: A new Code Red variant jason (Aug 01)
    - Re: A new Code Red variant Daniel Harrison (Aug 01)
- <Possible follow-ups>
- RE: A new Code Red variant Steve Halligan (Aug 01)
  - Apache Logs and Code Red andrew (Aug 01)