On Fri, 20 Jul 2001, Don Papp wrote:

> I wonder if I have seen this variant - a person I emailed has a
> server whose web pages served looks a lot like the Code Red worm's output
> (1 line of simple html) displaying
>
> FUCK CHINA GOVERNENT
> and p0isonb0x (or something like that)
>
> On a black background. The web files themselves are untouched.
>
> Actually I have the source of what it spits out:
>
> <html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p
> align="center"><font size=7 color=red>fuck CHINA
> Government</font><tr><td><p align="center"><font size=7 color=red>fuck
> PoizonBOx<tr><td><p align="center"><font size=4
> color=red>contact:sysadmcnyahoo.com.cn</html>
>

I would tend to assume that isn't a variant of the worm. It's certainly
not CRv1 or CRv2. The HTML is about 40 bytes longer than that in Code
Red, so it would be a bit more than simply changing the HTML code in the
worm and relaunching; you'd have to adjust the content length reference,
and a number of other items. I would think it's non-trivial.

I would think this was a hand-done response to Code Red.

                                        Ryan

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]