Code Red 2 cleanup; reporting..

Larry Diffey ldiffey at technologyforward.com
Fri Aug 10 06:01:57 UTC 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Although @home maybe blocking incoming port 80 it is still allowing
those connections which originate inside it's network to proceed.  In
the last few hours I have recieved numerous probes to port 80 on my
home machine which have originated from within the @home network.  So
far all of the addresses have come from the Left Coast.  While a few
have come from WA and OR, most have been from San Diego (I'm in
Orange County which is between San Diego and Los Angeles).

Obviously this does not bode well for Code Red II ending any time
soon since it is non-tech home users who are the least likely to
patch their systems (or even know about Code Red vX.

Maybe @home should limit outbound port 80 connections as well! :)

Larry Diffey


- ----- Original Message ----- 
From: "Mike Lewinski" <mike at rockynet.com>
To: <nanog at merit.edu>
Sent: Thursday, August 09, 2001 9:39 PM
Subject: Re: Code Red 2 cleanup; reporting..


> 
> "Christopher A. Woodfield"  wrote:
> 
> > > FWIW, I just tried to telnet to the 20 most recent hosts I got
> > > Code Red 
> II
> > > probes from, and didn't get a shell prompt on any of them. Are
> > > people cleaning up their boxes that quickly?
> 
> Did you telnet to port 80 and make a specific http GET request for
> the root.exe? It isn't just sitting there in the open....
> 
> Another possibility if you actually did that and didn't get the
> shell is the (unlikely) event that the admin actually had
> forethought to limit the ACL's on their system directory and the
> worm couldn't copy the needed file (unlikely because someone who
> knows enough to do that would have already patched).
> 
> Then "mike harrison" wrote:
> 
> > I have been told, but not personally conformed confirmed of non
> > IIS machines being infected with CodeRed (I or II not known,
> > assume II). Infection method: running an file from somewhere?
> > They still scan out and seek victims, just no webserver running.
> 
> I highly doubt this. The vulnerability is very specific to IIS
> servers, and unless a new hybrid worm has been released, it's just
> not possible.  
> 
> Also note that @Home is now blocking incoming port 80 connections.
> This will prevent further infections inbound on their (residential)
> network, but does nothing to prevent already compromised hosts from
> continuing to scan the rest of the net. This is the most likely
> reason for seeing scans that don't look like they are originating
> from IIS servers. The next most likely reason is that the worm has
> totally hosed IIS.
> 
> Another possibility is having one public server connected to a LAN
> that then infects everything else behind it's firewall.
> 
> At this point, you can't deduce necessarily deduce anything from an
> inability to connect on port 80 to an infected host.
> 
> Mike
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8

iQA/AwUBO3N41Fo9DaZGgGo0EQK3TgCgoo2yzZYbpRDVdRYc+7Mdf53ay+kAoOsO
PQdP2JBODGI7E5+EoNul2f3k
=2VE3
-----END PGP SIGNATURE-----





More information about the NANOG mailing list