Interestingly when I view this page my virus checker (Norton) says that the
backdoor sadmind.dr is included in the temporary files downloaded when I
viewed the webpage (IE).

Scott - you may want to check your mirror.

--
Andrew Cardwell (CISSP/SSCP) - acardwellbtinternet.com
Mobile: +44 7092 028 865 - Home Office: +44 1353 659274
> -----Original Message-----
> From: Scott Wunsch [mailto:bugtraqtracking.wunsch.org]
> Sent: Wednesday, August 01, 2001 8:07 PM
> To: incidentssecurityfocus.com
> Subject: A new Code Red variant
>
>
> Glancing at my Apache logs, I noticed what looked like a typical Code Red
> hit at 11:50:59 CST from 61.141.213.162 (which resolves to a name in .cn).
> I fired up my web browser and pointed it at that IP, wondering whether it
> was defaced by CRv1, or looked normal (i.e., CRv2).
>
> It appears likely to be defaced, all right, but not with the usual CRv1
> message.  Could we have yet another new strain out there?
>
> In case the box has been cleaned up, I mirrored the defaced page at
> <http://www.wunsch.org/mirrors/codered/>.  The text is as follows, in red
> on a black background:
>
> > fuck CHINA Government
> >
> > fuck PoizonBOx
> >
> > contact:sysadmcnyahoo.com.cn
>
> --
> Take care,
> Scott \\'unsch
>
> ... St... St... Stu... St... Stuttering Ta... Tagline.
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]