Re: Code Red - A Possible Origin?

From: Michael J. Cannon (mcannon@ubiquicomm.com)
Date: 08/24/01


Message-ID: <001a01c12cda$7a00ccd0$5e389418@scooby>
From: "Michael J. Cannon" <mcannon@ubiquicomm.com>
To: <cefek@michalnazarewicz.com>, <incidents@securityfocus.com>
Subject: Re: Code Red - A Possible Origin?
Date: Fri, 24 Aug 2001 15:22:19 -0500

Saw the message in source, when I was looking at the site originally.

But couldn't this also be a red herring, placed there by the author of CR to
divert suspicion...it is, after all, easy and trivial to add that to a web
page's source.

Especially given that they are running on Linux and Apache (link here:
http://uptime.netcraft.com/up/graph/?host=www.tao.ca) Note: again,
netcraft results to be taken as an indicator and not gospel. However, it
makes sense, since they are otherwise so down on Microsoft and seem to glory
in their 'leetness.'

Mike
----- Original Message -----
From: "Michal Nazarewicz" <m.nazarewicz@dkgroup.com.pl>
To: "'Michael J. Cannon'" <mcannon@ubiquicomm.com>;
<incidents@securityfocus.com>
Sent: Friday, August 24, 2001 2:42 AM
Subject: RE: Code Red - A Possible Origin?

> > Tongue VERY firmly in cheek here, gang. Let's not mistake a
> > group's target
> > of opportunity for the real thing. But it's interesting that
> > somone would
> > have the balls to claim responsibility, no matter how indirectly.
>
> ...let's also add that there is a message written in black on black
> background which says:
>
> red worm denial-of-service dos code welcome to http://www.worm.com! Hacked
> by Chinese - xo ha
>
>
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Malicious web sites
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: [incident] IIS defacement through FTP, possible DoS
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Distributed ICMP/UDP scan or attack?
    ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
    (Incidents)
  • Re: strange attacks - flood udp packets from 1030 to msql
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Can anyone identify this backdoor?
    ... > and tracking system please see: http://aris.securityfocus.com ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ...
    (Incidents)