Code Red 2 cleanup; reporting..

Etaoin Shrdlu shrdlu at deaddrop.org
Fri Aug 10 09:11:21 UTC 2001


"Steven M. Bellovin" wrote:
> 
> In message <3B7360B4.71755CA7 at deaddrop.org>, Etaoin Shrdlu writes:

[judicious clipping]

> >Believe it. I have at least three verified, and that was using web server
> >logs they'd hit, and ethereal running on the openbsd machine in my office,
> >which sits right next to the local building router. [Yes, it's true. IRL, I
> >work for Big Company X.]
> 
> So -- if he wasn't running IIS, what was he running?

Just a server, with the indexing vulnerability thing present and exploited.
It started a service at port 80 for him (lucky guy), but he had definitely
not started IIS. In fact, it had that stupid default page up that I've
usually seen in past when some application is installed the "personal web
server" for an unsuspecting user. I'm a little tired, and suspect that I no
longer have the specific stuff that was from that machine, but it wasn't
show anything at port 80 before 12:08 on Wednesday last, and it sure was
after.

It lives in a DHCP range (what's a server doing on DHCP? I don't know, he's
already shown that he doesn't think things through), so I occasionally look
for anon ftp and web servers, usually set up by crap that people install
from MS without realizing that they are now open to the world (at least
internally, they got pretty strict on the firewall rules quite a while
back). It looked like it was just a big disk space thing to me, although
the /scripts/root.exe directory did show up after he was exploited. I'll
have to ask him what the purpose of the machine was after things calm down.

You know, it's really bad when the television news folk are the biggest
security resource for people who should know better.

I wish I had the opportunity to take any of the three machines apart (out
of curiousity, and in the interest of furthering knowledge of the thing),
but they are already scrubbed (sort of) and back in service. I think that
they've just run that thing that MS offered up that removes the trojans and
changes the registry entries back. Personally, I believe that a triple low
level format is the appropriate response for trojans and virii (format,
change the disk geometry, format, change it back, format), but they don't
let me make policy. Bummer.

--
Open source should be about giving away things voluntarily. When
you force someone to give you something, it's no longer giving, it's
stealing. Persons of leisurely moral growth often confuse giving with
taking.    -- Larry Wall



More information about the NANOG mailing list