Snort mailing list archives

Previous By Date Next
Previous By Thread Next

What to do with CodeRed(II) logged hosts ?

From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 14:15:21 +0300
Kai,

currently the best thing you can do is:

- Keep blocking the attacking hosts using the script you mentioned

- Send Code Red attack information to DShield. Check out
http://www.dshield.org and http://www.dshield.org/codered.html

- Send Code Red attack information from your Snort log to
'aris-report () securityfocus com'. They gather information of infected
hosts and contact administrators of those hosts. I don't recommend you
start contacting administrators of the infected hosts yourself; it's
quite impossible mission right now as new infections keep coming all the
time. When sending log entries to aris-report () securityfocus com, use the
following format:

        IP ADDRESS DATE/TIME

For example, if your timezone is CET (GMT+1) and Snort log entry looks
like this:

        08/06-13:43:59.670942  [**] [1:0:0] Code Red IDA Overflow [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 10]
{TCP} 111.222.333.444:3463 -> 123.123.123.123:80

then send it formatted like this:

        111.222.333.444 2001-08-06      13:43:59        CET (GMT+1)



Yours,

Jyri Hovila

Information Security Specialist
Tel: +358-41-448 3238
E-mail: jyri.hovila () iki fi

Certifications:
http://www.brainbench.com/transcript.jsp?pid=2301241
 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: