"Christopher A. Woodfield" wrote:
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II probes from, and didn't get a shell prompt on any of them. Are people cleaning up their boxes that quickly?
Did you telnet to port 80 and make a specific http GET request for the root.exe? It isn't just sitting there in the open.... Another possibility if you actually did that and didn't get the shell is the (unlikely) event that the admin actually had forethought to limit the ACL's on their system directory and the worm couldn't copy the needed file (unlikely because someone who knows enough to do that would have already patched). Then "mike harrison" wrote:
I have been told, but not personally conformed confirmed of non IIS machines being infected with CodeRed (I or II not known, assume II). Infection method: running an file from somewhere? They still scan out and seek victims, just no webserver running.
I highly doubt this. The vulnerability is very specific to IIS servers, and unless a new hybrid worm has been released, it's just not possible. Also note that @Home is now blocking incoming port 80 connections. This will prevent further infections inbound on their (residential) network, but does nothing to prevent already compromised hosts from continuing to scan the rest of the net. This is the most likely reason for seeing scans that don't look like they are originating from IIS servers. The next most likely reason is that the worm has totally hosed IIS. Another possibility is having one public server connected to a LAN that then infects everything else behind it's firewall. At this point, you can't deduce necessarily deduce anything from an inability to connect on port 80 to an infected host. Mike