Security Incidents mailing list archives

Apache Logs and Code Red

From: andrew <a_weisburd () mac com>
Date: Wed, 1 Aug 2001 14:29:31 -0500

Compare the entries in the apache error log with those of the access log.

The CodeRed entries in the apache access log will have the telltale'default.ida' stuff


The apache error log is a quicker read, but will only say:

[Wed Aug 1 12:11:01 2001] [error] [client 200.41.239.162] Client sentmalformed Host header

And sadmind and CodeRed seem to share this error message.

Pardon me while read the latest SirCam attachment to show up in my inbox..
.

Andrew


On Wednesday, August 1, 2001, at 01:29 , Steve Halligan wrote:

This is the sadmind worm.

-----Original Message-----
From: Scott Wunsch [mailto:bugtraq () tracking wunsch org]
Sent: Wednesday, August 01, 2001 1:07 PM
To: incidents () securityfocus com
Subject: A new Code Red variant

Glancing at my Apache logs, I noticed what looked like a
typical Code Red
hit at 11:50:59 CST from 61.141.213.162 (which resolves to a
name in .cn).
I fired up my web browser and pointed it at that IP,
wondering whether it
was defaced by CRv1, or looked normal (i.e., CRv2).

It appears likely to be defaced, all right, but not with the
usual CRv1
message.  Could we have yet another new strain out there?

In case the box has been cleaned up, I mirrored the defaced page at
<http://www.wunsch.org/mirrors/codered/>.  The text is as
follows, in red
on a black background:

fuck CHINA Government

fuck PoizonBOx

contact:sysadmcn () yahoo com cn


--
Take care,
Scott \\'unsch

... St... St... Stu... St... Stuttering Ta... Tagline.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

QUIT


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

A new Code Red variant Scott Wunsch (Aug 01)
- Re: A new Code Red variant Blake Frantz (Aug 01)
- RE: A new Code Red variant JKruser (Aug 01)
- RE: A new Code Red variant Andrew Cardwell (Aug 01)
  - Re: A new Code Red variant Scott Wunsch (Aug 01)
  - Re: A new Code Red variant jason (Aug 01)
    - Re: A new Code Red variant Daniel Harrison (Aug 01)
- <Possible follow-ups>
- RE: A new Code Red variant Steve Halligan (Aug 01)
  - Apache Logs and Code Red andrew (Aug 01)