RE: Code Red attacks - a warning.

["Franki" <frankieh () vianet net au>]

RE: [Snort-users] Code Red attacksperhaps,  except for one thing,,,

I didn't ask for their intrusion of their server trying to infect mine with
Code red,,, so I am responding to an attemted intrusion...

if someone comes into your house with a gun and tries to shoot you, you
usually get "self defense" if you manage to take him out instead..

same sort of thing, their server is the intruder, weither they know it or
not is irelivent.... it changes nothing.

Their server is attempting to damage ours... through their ineptitude..  and
we are responding to stop the threat and wasted bandwidth to our servers....


I don' t think its that big a deal, but I understand how it could be assumed
that way by others...


rgds

Frank
  -----Original Message-----
  From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Tom Rowan
  Sent: Tuesday, 18 September 2001 7:30 PM
  To: 'franki () gshop com au'; snort-users () lists sourceforge net
  Subject: RE: [Snort-users] Code Red attacks - a warning.


  Something like that MIGHT work.
  But, are you not opening yourself up to being seen to commit the same
  offense(s) that the original author of Code Red is? You are using someone
elses
  system without their permission... which is illegal!

  While it is an honourable thought, I think you've got to be careful here.

  Tom
    -----Original Message-----
    From: Franki [mailto:franki () gshop com au]
    Sent: 18 September 2001 09:55
    To: snort-users () lists sourceforge net
    Subject: RE: [Snort-users] Code Red attacks


    couldn't we just write an upload a bat file for the server to run ???

    ie: update.bat

    ftp www.update.microsoft.com/yada/yadda/yadda

    get /updates/something/iisupdate.exe

    c:\somewhere\iisupdate.exe

    shutdown -r now #couldn't remember the windows version of that so I
substituted the *nix version,, you get the idea.

    would that not work?? and since the patch gets downloaded from a MS
server, its less likely to get detractors...

    you could also have it email the admin of the server, something to the
effect...


    After hours of sustained requests from your server to one of ours,  our
server response has activated,, and has responded to YOUR servers REQUEST by
telling it to download the patch from microsoft... if you are reading this,
there is a good chance it was sucessful, and you are no longer suseptable to
Code red and its variants.
    however, this does not exclude the possibility that sometime in the
period that you were infected, your server did not have "back doors"
installed. you should look into this and take the necessary steps.


    I think thats a nice solution, and it makes it clear that the other
server requested the info, and that the patch was the response...(its just
like manually downloading stuff from the web, if you download a dodgy
program and install it, you can't blame the guy who wrote it legally because
he didn't force you to install it.... you requested the download..... see
what I mean?



    rgds

    Frank




      -----Original Message-----
      From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jason Withrow
      Sent: Tuesday, 18 September 2001 8:33 AM
      To: 'Jason Withrow'; 'Greg Wright'
      Cc: snort-users () lists sourceforge net
      Subject: RE: [Snort-users] Code Red attacks


      I think we should write that.



      The world will be a better place.



      So the question now is how can we upload the patch?

      WE know that there will most likely be a cmd shell living in c, which
has been shared out thru IIS and has been given execute permissions by Code
Red’s infection process.



      I guess we would have to send a carefully crafted url response back,
passing parameters back to cmd.exe to invoke the ftp.exe???





      - Jason



      -----Original Message-----
      From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason Withrow
      Sent: Monday, September 17, 2001 8:23 PM
      To: 'Greg Wright'
      Cc: snort-users () lists sourceforge net
      Subject: RE: [Snort-users] Code Red attacks



      I like it.



      It makes complete sense to me.



      - Jason





      -----Original Message-----
      From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Greg Wright
      Sent: Monday, September 17, 2001 7:56 PM
      To: 'snort-users () lists sourceforge net'
      Subject: RE: [Snort-users] Code Red attacks



      I liked the idea of configuring the server to return data to an
exploited system that will patch the hole, however the potential legality
issues frighten me, however I wonder...

      Isn't it possibly a little convoluted in that the exploited system
that you are 'putting' data on is actually requesting *something* from your
server initially. The action of 'putting data' is the serving of a request
initiated by the infected system.

      If you were to put data on your web server system that stops CodeRed,
and an affected box attempted to scan for and pass a request to your server,
then the data that it passes back was not sent directly, but sent in
response to a request.

      What is the general opinion on this?

      Regards,
      Greg Wright

      -----Original Message-----
      From: Erek Adams [mailto:erek () theadamsfamily net]
      Sent: Tuesday, 18 September 2001 8:22 AM
      To: Jason Withrow
      Cc: 'Gordon Ewasiuk'; snort-users () lists sourceforge net
      Subject: RE: [Snort-users] Code Red attacks

      On Mon, 17 Sep 2001, Jason Withrow wrote:

      > What is the legal issue, it is a purely defensive mechanism.

      Well...  I'm not a lawyer, but:  You're doing _something_ to someone
elses
      machine--Uninvited.  That in and of itself can put you in a lot of
legal
      hotwater, depending on the remote sites security policy.  Now, I'm not
arguing
      the morality of what you're doing, or what you intend to do, but the
act of
      accessing someone elses stuff without consent puts you into the same
class as
      a 'hacker' in a lot of corportate security policy eyes.

      Instead, "Do the Right Thing".  :)  Anyone from your local subnets,
give them
      a call.  Most of the CR{I,II,III} tend to target the local subnets
over remote
      ones.  A quick use of whois and traceroute will usually give you a
fair idea
      of where someone is at physically.

      Or simpler, block them at the router.  ;-)

      -----
      Erek Adams
      Nifty-Type-Guy
      TheAdamsFamily.Net



      _______________________________________________
      Snort-users mailing list
      Snort-users () lists sourceforge net
      Go to this URL to change user options or unsubscribe:
      https://lists.sourceforge.net/lists/listinfo/snort-users
      Snort-users list archive:
      http://www.geocrawler.com/redir-sf.php3?list=snort-users