Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Full analysis of the .ida "Code Red" worm.

From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 19 Jul 2001 19:35:49 -0600 (MDT)
On Thu, 19 Jul 2001, Laurence Hand wrote:



I know MS watches this list, so I hope they will be checking their
servers before this starts the DDOS tomorrow.



I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC,
the next day).  I was getting 5-10 attempts an hour, and I've had 0
since 4:43:29 PDT.

Folks will notice that www.whitehouse.gov is still accessible.  The worm
authors only put in one IP address, the one for www1.whitehouse.gov.  BBN
(who appears to be the provider for whitehouse.gov, according to my
tracert) has blocked that single IP address at their peering points.  So
www2.whitehouse.gov is still running just fine.

Presumably, www.whitehouse.gov used to be RR DNS between the two.  Now,
www.whitehouse.gov resolves to just 198.137.240.92, and it has a TTL of
only 872.

For a relatively clever worm, the author sure screwed up his target list.
Whoops.

                                        Ryan
Previous By Date Next
Previous By Thread Next

Current thread: