It was a web site the Code Red Worm sent data to, once it infected a
machine.
It was part of the CR script. Site has been shut down a while ago.
Part of the CR script:
<snip>
> 0x0370 7369 7a65 3d35 3e3c 666f 6e74 2063 6f6c size=5><font.col
> 0x0380 6f72 3d22 7265 6422 3e3c 7020 616c 6967 or="red"><p.alig
> 0x0390 6e3d 2263 656e 7465 7222 3e57 656c 636f n="center">Welco
> 0x03a0 6d65 2074 6f20 6874 7470 3a2f 2f77 7777 me.to.http://www
> 0x03b0 2e77 6f72 6d2e 636f 6d20 213c 6272 3e3c .worm.com.!<br><
> 0x03c0 6272 3e48 6163 6b65 6420 4279 2043 6869 br>Hacked.By.Chi
> 0x03d0 6e65 7365 213c 2f66 6f6e 743e 3c2f 6872 nese!</font></hr
> 0x03e0 3e3c 2f62 6164 793e 3c2f 6874 6d6c 3e20 ></bady></html>.
<snip>

Jack Johnston
Information Assurance Manager
Information Warfare Officer
member: AVIEN
http://www.avien.org/earlywarning.html

----Original Message-----
From: Sean Kelly [mailto:listsshortestpath.org]
Sent: Wednesday, August 01, 2001 11:36 AM
To: incidentssecurityfocus.com
Subject: http://www.worm.com/default.ida? requests

        My webcache is having a massive ammount of requests for
http://www.worm.com/default.ida?. Is this an infected machine trying to
scan, or is this a scanner trying to detect compromised hosts?

        I have found a reference to www.worm.com in a document saying it
is part of the text placed on the homepage of a web server that has been
defaced by Code Red.

        Thanks,

--
Sean Kelly
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]