[Dshield] ALERT!!!!!!!!!

John Sage jsage at finchhaven.com
Fri Nov 23 00:41:29 GMT 2001


Johannes, et al:

See: http://www.vnunet.com/News/1125206

"Over the weekend, a German coder calling himself Herbert HexXer 
released a program called Code Green which patches vulnerable systems 
and removes backdoors left by Code Red II. Machines which have Code 
Green installed randomly scan the internet for NT servers infected with 
the Code Red variant."


And this: http://www.securityfocus.com/archive/82/211428


"To: Vuln-Dev
Subject: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
Date: Sep  1 2001  2:42PM
Author: Herbert HexXer <derhexxer at gmx.net>
Message-ID: <3678.999348125 at www45.gmx.net>

hello guys ...

... i have been developing a code, that should patch the isdapi-filter
bufferoverflow vulnerability (the vulnerability CodeRed is exploiting) 
discovered
by eEye (walk through the code for details). As I am on vacation 
tomorrow and I don't have the time to exessively debug the code, I 
posted this code here.

Perhaps some ppl might learn from this code (eventually someone could finish
what I began[debug/testing]).

Be sure to know what you are doing, as this code uses 'viral/worm'
techniques and could potentially cause damage.

THIS CODE IS DESIGNED FOR EDUCATIONAL PUPOSES ONLY;
REMEMBER THAT IT IS ONLY A BETA VERSION.

I will not take responsibility for any damage that might be caused by this
code.

Be sure to have understood the code and it's pupose before beginning to play
with it. Feel free to modify the code at will, but don't blame me, in 
case something
should not work like expected.

Aloah, Der HexXer."


- John



Johannes B. Ullrich wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> I don't think I did see this signature 'in the wild', but I think I 
> remember some talk about a 'Code Green' with a similar signature 
> (including the web site pointers and dedication) a few months back. The 
> intent of 'code green' was to use the MSFT IIS index server vulnerability 
> to remotly patch the effected server, without necessarily asking the owner 
> of the server for permission. There was some talk about the legal and 
> moral aspects of doing this.
> 
> Overall, the basic rule is like for any other 'hack' like that: They are 
> anoying but harmless if you are patched. If you are not patched, you 
> probably won't see the signature to begin with...
> 
> 
> On Thu, 22 Nov 2001, Gsw wrote:
> 
> 
>>My servers receive this:
>>
>>GET 
>>/default.ida?Code_Green_<I_like_the_colour-_-><AntiCodeRed-CodeRedIII-IDQ_Patcher>_V1.0_beta_written_by_'Der_HexXer'-Wuerzburg_Germany-_is_dedicated_to_my_sisterli_'Doro'.Save_Whale_and_visit_<www.buhaboard.de>_and_<www.buha-security.de>%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
>>HTTP/1.0
>>Content-type: text/xml
>>Accept: */*
>>Content-length: 5544
>>
>>From: 66.136.29.113
>>
>>Another code red/blu/green/rainbow.....
>>






More information about the list mailing list