Code Red on dial-in ppp
Jason A. Mills
phyxis at rottweiler.org
Sat Jul 21 16:28:08 UTC 2001
I'm not sure I see why a POTS PPP link, or some other slow(er) on demand
link might stop CodeRed. The first-pass payload is under 4096 bytes
including framing, not exactly something you need a lot of low-latency
bandwidth to push through. :-/
-J
On Sat, 21 Jul 2001, Mitch Halmu wrote:
>
> You may have received the following from codered at securityfocus.com
>
> This mail is from the ARIS Analyzer Service (Attack Registry and
> Intelligence Service) from SecurityFocus. It has come to our attention
> that your system(s), listed below have been identified as being
> compromised by the Code Red Worm. The Code Red Worm is rapidly
> spreading across the Internet, compromising vulnerable Windows NT IIS
> servers.
>
> The addresses identified as belonging to you are as follows:
>
> [ dynamic dial-in ip ]
> [ dynamic dial-in ip ]
>
> [snip]
>
> This makes me think that the worm is capable to infect not only
> dedicated web servers, but also dial-in customers running ppp that
> happen to be online when the attack occurs. NetSide is an all Sun
> sparc shop and we don't have any Windows based machines, but I can see
> this worm being alive and spreading for a long time if dial-in users
> are affected.
>
> Unfortunately, they don't provide a date and time stamp, so
> identifying the actual user is not possible. I can provide web server
> log extracts to whomever collects/analyzes such information (John O.,
> sorry but you're bouncing my email - get rid of MAPS).
>
> --Mitch
> NetSide
Jason A. Mills phyxis at rottweiler.org
----------------------------------------------
"La morale est la faiblesse de la cervelle."
Arthur Rimbaud --- Une Saison en Enfer
More information about the NANOG
mailing list