Security Incidents mailing list archives

RE: CodeRed

From: "Fulton L. Preston Jr." <fulton () prestons org>
Date: Thu, 19 Jul 2001 23:25:22 -0400

The actual number of 1.17 million was a mistake.  The author posted a
corrected figure:

<Original message>
Damn, serious methodology error in crunching that.  The correct
figure is (I now believe :-) 293,000.

                Vern
</message>


-----Original Message-----
From: Ryan Russell [mailto:ryan () securityfocus com]
Sent: Thursday, July 19, 2001 9:09 PM
To: Dave Laird
Cc: incidents () securityfocus com
Subject: Re: CodeRed 


Glad your machine wasn't hit.

I'm a bit stunned at the moment by a note to Bugtraq from a guy at LBL
who
claims that 1.17 Million different IP addresses have tried his address
space, meaning that at least that many different IIS boxes have been
nailed.  I'm rather amazed.

                                Ryan

On Thu, 19 Jul 2001, Dave Laird wrote:

Good evening, Ryan...

On Thu, 19 Jul 2001, Ryan Russell wrote:

You've got the evidence of an attempt (actually, you've probably had
plenty of attempts) but there is 0 chance that this worm will work

on

Apache on Linux as-is.  Apache responded with a 404, as it should.

The

worm uses Windows system calls, and takes advantage of a hole that

only

exists on IIS.  You needn't be concerned.


WHEW! While I'm not particularly a newbie, nonetheless when I saw the
attempts in my log file, I nearly had a cow in full-blown panic mode.
However, what truly set me back on my heels is that, in investigating
several of my associates who *do* run IIS, I discovered *most* of them

are

already infected or have already installed the "patch". This is not

good at

all. I was frankly *stunned* by the potential this worm has to damage

if not

entirely nullify IIS Web Servers everywhere in the world.

My extreme thanks to everyone on this list for bringing it to my

attention.

Now I can slip back into relative obscurity, uh... right? 8-)

Dave
--
Dave Laird (dlaird () kharma net)
The Used Kharma Lot
Web Page:   http://www.kharma.net updated 07/17/2001
Musicians' Calendar: http://www.kharma.net/calendar.html
Usenet news server : news://news.kharma.net

 Fortune Cookie:
I must have slipped a disk -- my pack hurts!




------------------------------------------------------------------------
----


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com

Current thread:

CodeRed Ryan Russell (Jul 19)
- Re: CodeRed James T Kirk (Jul 20)
- <Possible follow-ups>
- Re: CodeRed Ryan Russell (Jul 19)
  - Re: CodeRed Ryan Russell (Jul 19)
  - RE: CodeRed Ivan (Jul 19)
- RE: CodeRed Fulton L. Preston Jr. (Jul 19)
- Re: CodeRed Ryan Russell (Jul 20)
- RE: CodeRed Tulchinskiy, Sasha (Jul 20)
  - SIRCAM WORM? borakovej (Jul 24)
    - Re: SIRCAM WORM? acz [iSecureLabs] (Jul 24)
- CodeRed terminator (Jul 21)