Was: Code Red 2 cleanup -- SHOULD NSPs PULL THE PLUG? Solutions?

z at s0be.net z at s0be.net
Fri Aug 10 07:14:11 UTC 2001




On Thu, 9 Aug 2001, Etaoin Shrdlu wrote:

> No, sorry, lots of people are not cleaning up machines. I'm still being hit
> at home by the same machines I got hit by when this first started, for the
> most part. Sure, some of them are gone, but some are sure still here.
>


<--( SNIP )-->


Helu,

   Yes, this has been my finding as well.   Over a 72-hour period not a
single machine on my long list of Code Red 2 infected machines has been
patched ( meaning that root.exe exists and is GET'able ).    Despite
someone declaring that Securityfocus stopped their reporting service, I
did forward on my list to them in the format they wanted for good measure.

   I have heard that some of the broadband companies have started
filtering port 80 ingress, which seems like putting a Pooh Bear
bandaid(tm) over a punctured artery... but nonetheless.   I have heard
from quite a few people using various broadband services, that the
performance degradation they are experiencing from the amount of
scanning being generated inside their networks is more than noticeable.

   This brings up another good question:   Shouldn't these NSPs identify
who these customers are, e-mail them and try to call them at home/work
with patch procedures.. and after a non-response perhaps pull the plug
entirely on the infected customer in question?    I guess it would depend
on the numbers involved, but it seems to me that this would greatly
mitigate the performance degradation on their networks ( and others of
course ).

   However, this brings up the issue of how the infected customer would
apply the patches in order to regain service.    It would be quite costly
for the NSP to mail out CDs + instructions, and probably a waste of time (
people tend to throw CDs that come in the mail away without much thought
).

   I think an interesting solution to this problem, no matter how
unethical  would be to write a program that leverages the vulnerability to
patch the infected machine.    In fact, it surprises me that this hasn't
been done.


   Thoughts?


.z




More information about the NANOG mailing list