Bugtraq mailing list archives
RE: Full analysis of the .ida "Code Red" worm.
From: "Marc Maiffret" <marc () eeye com>
Date: Thu, 19 Jul 2001 18:55:13 -0700
You basically just summed up what I was writing in an eMail... As far as things look right now... whitehouse.gov will remain standing upright because they blackholed the IP address that use to map to it which was the right thing to do and kept this from turning into a much bigger problem then it already is. This of course does not by any means the worm is done. Hopefully enough people are talking and administrators are listening and installing patches right away. --- as a side note... some people asked about why the worm has "slowed down" on infecting and thats because the worm was designed to do that... to stop infecting and start attacking an IP address that use to point to whitehouse.gov. This whole worm process that we have been going through will basically start from scratch and run its course again when the 1st of next month comes around. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Web Application Firewall | -----Original Message----- | From: Ryan Russell [mailto:ryan () securityfocus com] | Sent: Thursday, July 19, 2001 6:36 PM | To: Laurence Hand | Cc: Marc Maiffret; BUGTRAQ | Subject: Re: Full analysis of the .ida "Code Red" worm. | | | On Thu, 19 Jul 2001, Laurence Hand wrote: | | > | > I know MS watches this list, so I hope they will be checking their | > servers before this starts the DDOS tomorrow. | > | | I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC, | the next day). I was getting 5-10 attempts an hour, and I've had 0 | since 4:43:29 PDT. | | Folks will notice that www.whitehouse.gov is still accessible. The worm | authors only put in one IP address, the one for www1.whitehouse.gov. BBN | (who appears to be the provider for whitehouse.gov, according to my | tracert) has blocked that single IP address at their peering points. So | www2.whitehouse.gov is still running just fine. | | Presumably, www.whitehouse.gov used to be RR DNS between the two. Now, | www.whitehouse.gov resolves to just 198.137.240.92, and it has a TTL of | only 872. | | For a relatively clever worm, the author sure screwed up his target list. | Whoops. | | Ryan | |
Current thread:
- Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 18)
- Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm. Joe Harris (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Laurence Hand (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Eric Chien (Jul 20)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Pierre Vandevenne (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. JNJ (Jul 20)
- Timely Patching (was: Full analysis of the .ida "Code Red" worm.) Crispin Cowan (Jul 23)
- Re: Mitigating some of the effects of the Code Red worm Vincas Ciziunas (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Johannes B. Ullrich (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Ryan Russell (Jul 20)
- RE: Mitigating some of the effects of the Code Red worm Linda Custer (Jul 20)