worm creates a known backdoor. I'm certain that both the CodeRedII author and other black hats would love for us to compile a list of afflicted hosts for them to use.
They have a few 'friendly' webservers collecting addresses just like we do. Everyone on the 'net with a sniffer or web log now has such a list. It's a good thought though.
If we are pretty sure that is the case, how about posting a list somewhere for the good guys to see--or somebody send email to the ARIN-listed contact for the IP addresses detected. I'm trying to build a detector here, but it is hard, given the resources I can bring to bear. Mostly me, which means we are in really bad shape, resource-wise.
At 11:15 AM 8/5/01, you wrote:
worm creates a known backdoor. I'm certain that both the CodeRedII author and other black hats would love for us to compile a list of afflicted hosts for them to use.
They have a few 'friendly' webservers collecting addresses just like we do. Everyone on the 'net with a sniffer or web log now has such a list. It's a good thought though.
If we are pretty sure that is the case, how about posting a list somewhere for the good guys to see--or somebody send email to the ARIN-listed contact for the IP addresses detected.
I'm trying to build a detector here, but it is hard, given the resources I can bring to bear. Mostly me, which means we are in really bad shape, resource-wise.
Detecting hosts infected with CodeRed which are spewing requests is simple. Set up an Apache server, then scan the logs for "default.ida" in requests. Since Apache doesn't use such nonsense itself, they are Code Red requests. Probably 50% of the CodeRed noise I'm seeing comes from hosts without INADDR, nearly all of the remainder is DSL, cable modem and dialup machines. So far, I've only recorded ONE www.<something>.com server sending requests to my servers. I expect this month's round of Code Red floods (when the infected machines turn to DDoS mode) to be coming from home user machines. It's going to be a LOT harder to deal with these than it was with servers on corporate or colo networks. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
One of the recent announcements about Code Red II says that due to a bug the worm only infects Windows 2000. It says the same is true for the original versions of Code Red. If I am following things: Both Windows 2000 and Windows NT are vulnerable to the IIS buffer overflow problem. Only Windows 2000 is infected by the Code Red Worm I and II (so far). Windows NT is not infected by the Code Red Worm I or II. Is this really the case? -Jeff
I believe code-I affects Windows NT. Microsoft has a patch for it on their site. jmp At 06:09 AM 8/6/01, Jeff Ogden wrote:
One of the recent announcements about Code Red II says that due to a bug the worm only infects Windows 2000. It says the same is true for the original versions of Code Red.
If I am following things:
Both Windows 2000 and Windows NT are vulnerable to the IIS buffer overflow problem.
Only Windows 2000 is infected by the Code Red Worm I and II (so far).
Windows NT is not infected by the Code Red Worm I or II.
Is this really the case?
-Jeff
participants (4)
-
Daniel Senie
-
Jeff Ogden
-
John M Pedro
-
Larry Sheldon