Snort mailing list archives
What to do with CodeRed(II) logged hosts ?
From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 14:15:21 +0300
Kai, currently the best thing you can do is: - Keep blocking the attacking hosts using the script you mentioned - Send Code Red attack information to DShield. Check out http://www.dshield.org and http://www.dshield.org/codered.html - Send Code Red attack information from your Snort log to 'aris-report () securityfocus com'. They gather information of infected hosts and contact administrators of those hosts. I don't recommend you start contacting administrators of the infected hosts yourself; it's quite impossible mission right now as new infections keep coming all the time. When sending log entries to aris-report () securityfocus com, use the following format: IP ADDRESS DATE/TIME For example, if your timezone is CET (GMT+1) and Snort log entry looks like this: 08/06-13:43:59.670942 [**] [1:0:0] Code Red IDA Overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] {TCP} 111.222.333.444:3463 -> 123.123.123.123:80 then send it formatted like this: 111.222.333.444 2001-08-06 13:43:59 CET (GMT+1) Yours, Jyri Hovila Information Security Specialist Tel: +358-41-448 3238 E-mail: jyri.hovila () iki fi Certifications: http://www.brainbench.com/transcript.jsp?pid=2301241 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What to do with CodeRed(II) logged hosts ? ks (Aug 06)
- Re: What to do with CodeRed(II) logged hosts ? Mark Rowlands (Aug 06)
- Re: What to do with CodeRed(II) logged hosts ? Thierry Coopman (Aug 06)
- Re: What to do with CodeRed(II) logged hosts ? Ryan Russell (Aug 06)
- Re: What to do with CodeRed(II) logged hosts ? Bob Bernstein (Aug 06)
- <Possible follow-ups>
- What to do with CodeRed(II) logged hosts ? Jyri Hovila (Aug 06)