Re: "Code Red" worm - there MUST be at least two versions.

[Ilya Zherebetskiy <webmaster () interdome com>]

At 05:40 PM 7/20/01 -0400, you wrote:
> On Fri, Jul 20, 2001 at 12:15:46PM -0600, Don Papp spake thusly:
> >       I wonder if I have seen this variant - a person I emailed has a
> > server whose web pages served looks a lot like the Code Red worm's output
> > (1 line of simple html) displaying
> >
> >       FUCK CHINA GOVERNENT
> >       and p0isonb0x (or something like that)
> >
> >       On a black background.  The web files themselves are untouched.
>
> I think this was something else - maybe a similar worm, but it used
> a different attack:
>
> "GET 
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\ 
>
> shell.exe" 404 -

That's a unicode hack that exploits the /scripts/ directory.  By default 
IIS installation, /scripts/ has "execute" as its permission, and a bug in 
microsofts IIS, unicode can be passed in, and cmd.exe can be executed, 
allowing intruder full system access.

For more info:
http://www.sans.org/y2k/unicode.htm

Ilya Zherebetskiy
Brainlink Development

> The machine that sent that to me had that same web page up, and I
> also got one from a different IP (on the same subnet) a few hours
> before that. That was a week ago though - July 13...
>
> --
> Jon-o Addleman


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com