Vulnerability Development mailing list archives
Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
From: "Stanley G. Bubrouski" <stan () ccs neu edu>
Date: Thu, 6 Sep 2001 20:32:30 -0400 (EDT)
On Thu, 6 Sep 2001, Emre Yildirim wrote:
Kev wrote:Unfortunately, all the world's not the USA (much to the chagrin of many of my fellow citizens, it seems). Also, there are many, many, many clueless admins out there; anybody that has to deal with script kiddies knows just how often Korean (for instance) hosts are broken into and used for all sorts of nefarious purposes. 90% of the time, I'm unable to even report spam to the open relays in that country, because not only is postmaster@ not even present, the contacts listed in whois.nic.or.kr just point into never-never land. I fear we will never see the end of this particular problem :/I know what you mean. I had to deal with lots of attacks & probes from *ac.kr myself. I think a long time ago there was a discussion on incidents@ (I think, I'm not sure) suggesting to create router ACL's with korean/offending IP numbers to block them completely from the Internet (similar to e-mail anti-spam lists). But then again, that defeats the purpose of the internet (to communicate around the world). As long as admins aren't educated and made aware of these problems, it's not going to change at all. But I'm not completely sure if infecting systems with a counter-worm is the solution either. Like some people already pointed out, it does consume lots of bandwidth, sets off IDSs, and irritates people who have Apache servers, whose logs get clogged up by these obsolete requests. Code Red is going to die out sometime eventually, just like Melissa did...so I'm not worried about it much.
It may sound unreasonable but using access-lists on routers on routers is great way for companies and providers to stop the spread of Code Red. By blockign all traffic from a person's machine they are then forced to call their provider's tech support to report they lost their connection. The provider then can inform the customer they are infected, explain to them they must patch their system, remove them from the ACLs, wait 24 hours and if they show signs they are patched then do not reapply the ACL. Anotehr way is to turn on router and firewall logging and use ACLs to log http traffic and filter out Code Red infected users and call them and e-mail them the patches. This doesn't block the user from accessing the network like the first method does, but it also doesn't prevent the infected user from infecting more people on the net and congesting the network. Regards, Stan -- Stan Bubrouski stan () ccs neu edu 23 Westmoreland Road, Hingham, MA 02043 Cell: (617) 835-3284
Cheers -- Emre Yildirim <emre () asper org> GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)
Current thread:
- Re: illegal cheer (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.), (continued)
- Re: illegal cheer (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 07)
- Re: illegal cheer (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Meritt James (Sep 07)
- Re: illegal cheer (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Michael R. Rudel (Sep 08)
- RE: illegal cheer (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Dom De Vitto (Sep 07)
- permission (was: Re: illegal cheer Meritt James (Sep 07)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Ron DuFresne (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Emre Yildirim (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Stanley G. Bubrouski (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Kev (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Emre Yildirim (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Stanley G. Bubrouski (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Ron DuFresne (Sep 06)
- RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) John R. Morris (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Gert-Jan Hagenaars (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Ron DuFresne (Sep 07)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) abel (Sep 07)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Stanley G. Bubrouski (Sep 07)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Gert-Jan Hagenaars (Sep 07)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Meritt James (Sep 07)
- Message not available
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) .MetsyS. (Sep 06)
- AW: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Steinhart Alexander (Sep 05)