Firewall Wizards mailing list archives

Re: Code Red paths

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 8 Aug 2001 13:17:49 -0400 (EDT)


There have been talks on bugtraq that some proxies are passing code red
attacks, I noted ms-proxy amongst those mentioned.

Thanks,

Ron DuFresne

On Tue, 7 Aug 2001, robert_david_graham wrote:

I've been talking to a LOT of people inside firewalls, and found that
CodeRed (especially CodeRedII) has successfully penetrated firewalls into
the internals of the network. I know that a lot of sales people I've talked
have also related the fact that sales calls are being canceled because the
security personel are running around patching machines (and reinstalling)
inside their networks.

Likewise, looking at CodeRed attacks against my own computer, an amazing
number of them are coming through high ports > 20,000, indicating that they
going through NATs (Microsoft doesn't allocate client dynamic ports that
high). This indicates the worm found ways through backdoors, then came out
the front doors.

This tells me that for the average corporation, there is a route through the
firewall. Customers often give weird excuses, such as "all my boxes are
secure, but I'm forced to allow somebody else's boxes on my DMZ, and that is
how it snaked through because they were multihomed". Everybody I talked to
had a "properly" configured system, but it snaked around it anyway.

What route do you think it took?

One plausible route that it hits the HTTP server on the front end, then
bounces through to a backend server. Maybe the backend was running SQL (so
access was required), but somebody left both IIS running on the backend for
no good reason AND failed to firewall adequately.

Or maybe there was a dual-homed desktop running Win2k PWS that allowed it
in?

Or was it through a dual-homed machine that the security people weren't
aware was dual-homed?

Are other people seeing the same thing? It seems to me that CodeRedII has
demonstrated how week the firewall front-ends really are.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Re: Code Red: What security specialist don't mention inwarnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- Code Red paths robert_david_graham (Aug 08)
  - Re: Code Red paths bacano (Aug 10)
  - Re: Code Red paths R. DuFresne (Aug 10)
- Re: Re: Code Red: What security specialist don't mentioninwarnings(Frank Knobbe) Paul Cardon (Aug 10)