Firewall Wizards mailing list archives
Re: Code Red paths
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 8 Aug 2001 13:17:49 -0400 (EDT)
There have been talks on bugtraq that some proxies are passing code red attacks, I noted ms-proxy amongst those mentioned. Thanks, Ron DuFresne On Tue, 7 Aug 2001, robert_david_graham wrote:
I've been talking to a LOT of people inside firewalls, and found that CodeRed (especially CodeRedII) has successfully penetrated firewalls into the internals of the network. I know that a lot of sales people I've talked have also related the fact that sales calls are being canceled because the security personel are running around patching machines (and reinstalling) inside their networks. Likewise, looking at CodeRed attacks against my own computer, an amazing number of them are coming through high ports > 20,000, indicating that they going through NATs (Microsoft doesn't allocate client dynamic ports that high). This indicates the worm found ways through backdoors, then came out the front doors. This tells me that for the average corporation, there is a route through the firewall. Customers often give weird excuses, such as "all my boxes are secure, but I'm forced to allow somebody else's boxes on my DMZ, and that is how it snaked through because they were multihomed". Everybody I talked to had a "properly" configured system, but it snaked around it anyway. What route do you think it took? One plausible route that it hits the HTTP server on the front end, then bounces through to a backend server. Maybe the backend was running SQL (so access was required), but somebody left both IIS running on the backend for no good reason AND failed to firewall adequately. Or maybe there was a dual-homed desktop running Win2k PWS that allowed it in? Or was it through a dual-homed machine that the security people weren't aware was dual-homed? Are other people seeing the same thing? It seems to me that CodeRedII has demonstrated how week the firewall front-ends really are. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Re: Code Red: What security specialist don't mention inwarnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- Code Red paths robert_david_graham (Aug 08)
- Re: Code Red paths bacano (Aug 10)
- Re: Code Red paths R. DuFresne (Aug 10)
- Re: Re: Code Red: What security specialist don't mentioninwarnings(Frank Knobbe) Paul Cardon (Aug 10)
- Code Red paths robert_david_graham (Aug 08)