Security Incidents mailing list archives
Re: Code Red, anyone?
From: Joseph Nicholas Yarbrough <nyarbrough () lurhq com>
Date: Wed, 1 Aug 2001 05:43:07 -0400
On Tuesday 31 July 2001 21:31, Alfred Huger wrote:
Anyone seeing Code Red activity yet?
When I came in tonight at 1 am I was told that there was no code red activity seen all night. Now (5:14EDT) I'm seeing dozens of connects per minute. If it grows at the rate it had previously, we are possibly looking at an another serious problem. Since the end of the last batch of scanning, I'm sure many infected hosts were rebooted because of crashing or some other reason (installing software/changing IPs/etc). After reboot they are no longer infected (because the virus wasn't spreading). Now that these systems, and possibly others that weren't infected the first time around, are getting infected and starting to scan. Chances are, anyone who hasn't applied the patch by now isn't going to. As another list went over, some vendors won't support thier product if you apply patches to the system that are not from them (I believe it was some web-banking software on IIS that was specifically mentioned). I don't take a dooms day attitute with Code Red, but it's clear it's going to continue to create problems to some degree. My company monitors many class C and B networks' firewall logs/IDS/network appliance reports/etc. We only monitor a tiny chunk of the internet as a whole. However, if I see this just on our clients' networks then the rest of the world has to be seeing it. Remember, it took several days last time before it got big. This time there are less systems for it to infect, but it has a bigger base number from which to spread. Without hard numbers, it's impossible to come up with even a guess at what the spread rate will be. Lets hope all the organizations who repost advisories as if they had anything to do with the discovery actually got threw to some people. Remember, the problem is people who have to hear about available patches to serious security problems on thier local news. Perhaps if major news networks and the AP would run a story on system/network admins that don't subscribe to security mailing lists we wouldn't have had such a problem. No flames were intended in this message. Don't misinterpret it that way and counterflame. -- Joseph Nicholas Yarbrough Information Security Analyst LURHQ Corporation ***NOTE*** These words and thoughts are my own, not my companies. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red, anyone? Alfred Huger (Jul 31)
- Code Red, anyone? Russell Fulton (Jul 31)
- Re: Code Red, anyone? Glenn Forbes Fleming Larratt (Jul 31)
- Re: Code Red, anyone? Michael Sullenszino (Aug 01)
- Re: Code Red, anyone? S. Staniford (Jul 31)
- Re: Code Red, anyone? Joseph Nicholas Yarbrough (Aug 01)
- Re: Code Red, anyone? thomas lakofski (Aug 01)
- RE: Code Red, anyone? Coen Bongers (Aug 01)
- Re: Code Red, anyone? Ryan Russell (Aug 01)
- Re: Code Red, anyone? Kman (Aug 01)
- <Possible follow-ups>
- Re: Code Red, anyone? Ken Eichman (Aug 01)
- unsubscribe me please Christophe Bernigaud (Aug 01)
- RE: Code Red, anyone? Information Security (Aug 01)
- RE: Code Red, anyone? Chip McClure (Aug 01)
- RE: Code Red, anyone? Jürgen Nieveler (Aug 01)
- Re: Code Red, anyone? Seth Arnold (Aug 01)
(Thread continues...)