The script is SOOOOOO silly [LWN.net]

The script is SOOOOOO silly

Posted Oct 25, 2004 15:06 UTC (Mon) by jeld (guest, #22397)
In reply to: The script is SOOOOOO silly by pascal.martin
Parent article: Fake Red Hat security update

Obviously it is not running IIS anymore, it runs some sort of apache. Here is the transcript:

HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 25 Oct 2004 15:04:21 GMT
Server: Apache
Last-Modified: Mon, 10 May 2004 19:45:39 GMT
ETag: "35802a-373b-40f47ec0"
Accept-Ranges: bytes
Content-Length: 14139
Connection: close
Content-Type: text/html; charset=UTF-8

(Log in to post comments)

addlebrain.com

Posted Oct 26, 2004 1:57 UTC (Tue) by jtc (guest, #6246) [Link]

I missed where addlebrain.com fits into this, but I get the following results from HEAD:

$ HEAD addlebrain.com
200 OK
Cache-Control: private
Connection: close
Date: Tue, 26 Oct 2004 01:55:17 GMT
Server: Microsoft-IIS/6.0
Content-Type: text/html; charset=utf-8
Client-Date: Tue, 26 Oct 2004 01:51:12 GMT
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
X-AspNet-Version: 1.1.4322
X-Powered-By: ASP.NET

addlebrain.com

Posted Oct 26, 2004 2:54 UTC (Tue) by jeld (guest, #22397) [Link]

Well... looks like you are right, except, that addlebrain.com (running IIS 6) is being redirected to www.addlebrain.com running apache. Since this is a valid site, and the email address where the script is sending cracked host info is root@addlebrain.com I figured that someone rooted one of addlebrain's boxes. Otherwise I don't know. addlebrain.com seems to belong to a company called ABM Wireless which sells cell phone accessories. MX record for addlebrain.com points to a server on everyone.net domain which is a mail hosting company. I cannot find much info about addlebrain.com IP address, but www.addlebrain.com address belongs to a dedicated web server/colocation company ThePlanet.com.