Security Incidents mailing list archives
Re: "Code Red" worm - there MUST be at least two versions.
From: Ilya Zherebetskiy <webmaster () interdome com>
Date: Mon, 23 Jul 2001 19:30:32 -0400
At 05:40 PM 7/20/01 -0400, you wrote:
On Fri, Jul 20, 2001 at 12:15:46PM -0600, Don Papp spake thusly: > I wonder if I have seen this variant - a person I emailed has a > server whose web pages served looks a lot like the Code Red worm's output > (1 line of simple html) displaying > > FUCK CHINA GOVERNENT > and p0isonb0x (or something like that) > > On a black background. The web files themselves are untouched. I think this was something else - maybe a similar worm, but it used a different attack:"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe" 404 -
That's a unicode hack that exploits the /scripts/ directory. By default IIS installation, /scripts/ has "execute" as its permission, and a bug in microsofts IIS, unicode can be passed in, and cmd.exe can be executed, allowing intruder full system access.
For more info: http://www.sans.org/y2k/unicode.htm Ilya Zherebetskiy Brainlink Development
The machine that sent that to me had that same web page up, and I also got one from a different IP (on the same subnet) a few hours before that. That was a week ago though - July 13... -- Jon-o Addleman
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: "Code Red" worm - there MUST be at least two versions. Ilya Zherebetskiy (Jul 23)