Bugtraq mailing list archives
Re: Mitigating some of the effects of the Code Red worm
From: "Johannes B. Ullrich" <jullrich () euclidian com>
Date: Thu, 19 Jul 2001 21:13:23 -0400 (EDT)
I have sent about 5000+ emails over the last week to systems very likely infected with the Red Alert Virus (based on data collected by DShield.org). It was the first time in the 6+ months I am running that service now, that I got flooded with abusive e-mail because I attempted to notify sysadmins that there machine was hacked. Many did just not understand, that even though the report indicated a hit against port 80, it is not 'usual web traffic'. If you have a web server, there is no need for it to hit port 80 on random machines. Also, how hard is it to check if a machine is ok or not? The Code Red was not very obvious to spot, and it took us a couple of days to find out what was going on. But if someone tells you that a machine on your network is doing something that is perceived as unusual, why not take a quick look. In short, as long as sysadmins don't start to care and get there systems up to date, things like this will continue to happen. I was lucky that the main submitters of the data where very patient with the abusive responses and took the time to respond to them individually. We are not talking about home users here, that installed the latest magic 'improve your modem speed' virus. Well, I won't give up. I am sure the 'Dark Red Alert' is just around the corner waiting.. And I don't mind playing 'whack the worm' for a while. We could send 'RMV's to all Subsevens, or 'noworm' files to all IIS servers. But the next worm will not care... and if someone has no virus scanner they will get reinfected with subseven on there next visit to IRC. ....
1) There is something of an ongoing log of affected machines that can be obtained from boxes earlier in the IP list. 2) Machines which have been compromised can STILL be compromised. 3) The worm has a "lysine deficiency" which can be remotely introduced.
.....
Ben Lard University of Colorado, Boulder
-- ------- jullrich () dshield org Join http://www.DShield.org Distributed Intrusion Detection System
Current thread:
- Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm., (continued)
- Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm. Joe Harris (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Laurence Hand (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Eric Chien (Jul 20)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Pierre Vandevenne (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. JNJ (Jul 20)
- Timely Patching (was: Full analysis of the .ida "Code Red" worm.) Crispin Cowan (Jul 23)
- Re: Mitigating some of the effects of the Code Red worm Vincas Ciziunas (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Johannes B. Ullrich (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Ryan Russell (Jul 20)
- RE: Mitigating some of the effects of the Code Red worm Linda Custer (Jul 20)