FW: Code Red paths

["Miller, Brian" <bmille03 () eds com>]

I run an IIS server at home just to keep track of things like the code red
worm.  I have seen a lot of attacks in my ISS logs.  When I try to put the
Source IP of the attack into a web browser and try to connect in many cases
I am unable. (The rest of the time I can view the compromised site)  If I am
being attacked by an IIS server running the Code Red Worm a web page should
display unless the server that is attacking me is behind a firewall in the
"secure" internal network.   I can think of a number of scenarios where an
internal network could be compromised by the worm.  I am assuming I am
hitting firewalls that allow outbound on port 80 (allowing the attack) but
filtering inbound traffic on port 80 (Stopping my packets).  Note that
attempting to connect to a known web server on the standard port is in the
realm of legal.  

Note:  I am also seeing a lot of attacks from the Home.com and other cable
and DSL networks.  Anyone who has a IIS server at home might want to think
about applying the patch.

-----Original Message-----
From: robert_david_graham [mailto:robert_david_graham () yahoo com]
Sent: Tuesday, August 07, 2001 9:39 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] Code Red paths


I've been talking to a LOT of people inside firewalls, and found that
CodeRed (especially CodeRedII) has successfully penetrated firewalls into
the internals of the network. I know that a lot of sales people I've talked
have also related the fact that sales calls are being canceled because the
security personel are running around patching machines (and reinstalling)
inside their networks.

Likewise, looking at CodeRed attacks against my own computer, an amazing
number of them are coming through high ports > 20,000, indicating that they
going through NATs (Microsoft doesn't allocate client dynamic ports that
high). This indicates the worm found ways through backdoors, then came out
the front doors.

This tells me that for the average corporation, there is a route through the
firewall. Customers often give weird excuses, such as "all my boxes are
secure, but I'm forced to allow somebody else's boxes on my DMZ, and that is
how it snaked through because they were multihomed". Everybody I talked to
had a "properly" configured system, but it snaked around it anyway.

What route do you think it took?

One plausible route that it hits the HTTP server on the front end, then
bounces through to a backend server. Maybe the backend was running SQL (so
access was required), but somebody left both IIS running on the backend for
no good reason AND failed to firewall adequately.

Or maybe there was a dual-homed desktop running Win2k PWS that allowed it
in?

Or was it through a dual-homed machine that the security people weren't
aware was dual-homed?

Are other people seeing the same thing? It seems to me that CodeRedII has
demonstrated how week the firewall front-ends really are.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards