Firewall Wizards mailing list archives
FW: Code Red paths
From: "Miller, Brian" <bmille03 () eds com>
Date: Wed, 8 Aug 2001 09:44:16 -0400
I run an IIS server at home just to keep track of things like the code red worm. I have seen a lot of attacks in my ISS logs. When I try to put the Source IP of the attack into a web browser and try to connect in many cases I am unable. (The rest of the time I can view the compromised site) If I am being attacked by an IIS server running the Code Red Worm a web page should display unless the server that is attacking me is behind a firewall in the "secure" internal network. I can think of a number of scenarios where an internal network could be compromised by the worm. I am assuming I am hitting firewalls that allow outbound on port 80 (allowing the attack) but filtering inbound traffic on port 80 (Stopping my packets). Note that attempting to connect to a known web server on the standard port is in the realm of legal. Note: I am also seeing a lot of attacks from the Home.com and other cable and DSL networks. Anyone who has a IIS server at home might want to think about applying the patch. -----Original Message----- From: robert_david_graham [mailto:robert_david_graham () yahoo com] Sent: Tuesday, August 07, 2001 9:39 PM To: firewall-wizards () nfr com Subject: [fw-wiz] Code Red paths I've been talking to a LOT of people inside firewalls, and found that CodeRed (especially CodeRedII) has successfully penetrated firewalls into the internals of the network. I know that a lot of sales people I've talked have also related the fact that sales calls are being canceled because the security personel are running around patching machines (and reinstalling) inside their networks. Likewise, looking at CodeRed attacks against my own computer, an amazing number of them are coming through high ports > 20,000, indicating that they going through NATs (Microsoft doesn't allocate client dynamic ports that high). This indicates the worm found ways through backdoors, then came out the front doors. This tells me that for the average corporation, there is a route through the firewall. Customers often give weird excuses, such as "all my boxes are secure, but I'm forced to allow somebody else's boxes on my DMZ, and that is how it snaked through because they were multihomed". Everybody I talked to had a "properly" configured system, but it snaked around it anyway. What route do you think it took? One plausible route that it hits the HTTP server on the front end, then bounces through to a backend server. Maybe the backend was running SQL (so access was required), but somebody left both IIS running on the backend for no good reason AND failed to firewall adequately. Or maybe there was a dual-homed desktop running Win2k PWS that allowed it in? Or was it through a dual-homed machine that the security people weren't aware was dual-homed? Are other people seeing the same thing? It seems to me that CodeRedII has demonstrated how week the firewall front-ends really are. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Code Red Paths Erik J. Varney (Aug 08)
- <Possible follow-ups>
- FW: Code Red paths Miller, Brian (Aug 08)
- Re: FW: Code Red paths Paul Cardon (Aug 10)
- Re:Code Red Paths Erik J. Varney (Aug 10)