-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Although @home maybe blocking incoming port 80 it is still allowing those connections which originate inside it's network to proceed. In the last few hours I have recieved numerous probes to port 80 on my home machine which have originated from within the @home network. So far all of the addresses have come from the Left Coast. While a few have come from WA and OR, most have been from San Diego (I'm in Orange County which is between San Diego and Los Angeles). Obviously this does not bode well for Code Red II ending any time soon since it is non-tech home users who are the least likely to patch their systems (or even know about Code Red vX. Maybe @home should limit outbound port 80 connections as well! :) Larry Diffey - ----- Original Message ----- From: "Mike Lewinski" <mike@rockynet.com> To: <nanog@merit.edu> Sent: Thursday, August 09, 2001 9:39 PM Subject: Re: Code Red 2 cleanup; reporting..
"Christopher A. Woodfield" wrote:
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II probes from, and didn't get a shell prompt on any of them. Are people cleaning up their boxes that quickly?
Did you telnet to port 80 and make a specific http GET request for the root.exe? It isn't just sitting there in the open....
Another possibility if you actually did that and didn't get the shell is the (unlikely) event that the admin actually had forethought to limit the ACL's on their system directory and the worm couldn't copy the needed file (unlikely because someone who knows enough to do that would have already patched).
Then "mike harrison" wrote:
I have been told, but not personally conformed confirmed of non IIS machines being infected with CodeRed (I or II not known, assume II). Infection method: running an file from somewhere? They still scan out and seek victims, just no webserver running.
I highly doubt this. The vulnerability is very specific to IIS servers, and unless a new hybrid worm has been released, it's just not possible.
Also note that @Home is now blocking incoming port 80 connections. This will prevent further infections inbound on their (residential) network, but does nothing to prevent already compromised hosts from continuing to scan the rest of the net. This is the most likely reason for seeing scans that don't look like they are originating from IIS servers. The next most likely reason is that the worm has totally hosed IIS.
Another possibility is having one public server connected to a LAN that then infects everything else behind it's firewall.
At this point, you can't deduce necessarily deduce anything from an inability to connect on port 80 to an infected host.
Mike
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 iQA/AwUBO3N41Fo9DaZGgGo0EQK3TgCgoo2yzZYbpRDVdRYc+7Mdf53ay+kAoOsO PQdP2JBODGI7E5+EoNul2f3k =2VE3 -----END PGP SIGNATURE-----