Bugtraq mailing list archives
Re: Full analysis of the .ida "Code Red" worm.
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 19 Jul 2001 19:35:49 -0600 (MDT)
On Thu, 19 Jul 2001, Laurence Hand wrote:
I know MS watches this list, so I hope they will be checking their servers before this starts the DDOS tomorrow.
I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC, the next day). I was getting 5-10 attempts an hour, and I've had 0 since 4:43:29 PDT. Folks will notice that www.whitehouse.gov is still accessible. The worm authors only put in one IP address, the one for www1.whitehouse.gov. BBN (who appears to be the provider for whitehouse.gov, according to my tracert) has blocked that single IP address at their peering points. So www2.whitehouse.gov is still running just fine. Presumably, www.whitehouse.gov used to be RR DNS between the two. Now, www.whitehouse.gov resolves to just 198.137.240.92, and it has a TTL of only 872. For a relatively clever worm, the author sure screwed up his target list. Whoops. Ryan
Current thread:
- Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 18)
- Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm. Joe Harris (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Laurence Hand (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Eric Chien (Jul 20)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Pierre Vandevenne (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. JNJ (Jul 20)
- Timely Patching (was: Full analysis of the .ida "Code Red" worm.) Crispin Cowan (Jul 23)
- Re: Mitigating some of the effects of the Code Red worm Vincas Ciziunas (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Johannes B. Ullrich (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Ryan Russell (Jul 20)
- RE: Mitigating some of the effects of the Code Red worm Linda Custer (Jul 20)