[Dshield] ALERT!!!!!!!!!

Johannes B. Ullrich jullrich at euclidian.com
Thu Nov 22 23:25:56 GMT 2001

Hash: SHA1

I don't think I did see this signature 'in the wild', but I think I 
remember some talk about a 'Code Green' with a similar signature 
(including the web site pointers and dedication) a few months back. The 
intent of 'code green' was to use the MSFT IIS index server vulnerability 
to remotly patch the effected server, without necessarily asking the owner 
of the server for permission. There was some talk about the legal and 
moral aspects of doing this.

Overall, the basic rule is like for any other 'hack' like that: They are 
anoying but harmless if you are patched. If you are not patched, you 
probably won't see the signature to begin with...

On Thu, 22 Nov 2001, Gsw wrote:

> My servers receive this:
> GET 
> /default.ida?Code_Green_<I_like_the_colour-_-><AntiCodeRed-CodeRedIII-IDQ_Patcher>_V1.0_beta_written_by_'Der_HexXer'-Wuerzburg_Germany-_is_dedicated_to_my_sisterli_'Doro'.Save_Whale_and_visit_<www.buhaboard.de>_and_<www.buha-security.de>%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
> HTTP/1.0
> Content-type: text/xml
> Accept: */*
> Content-length: 5544
> From:
> Another code red/blu/green/rainbow.....
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the list mailing list