Security Incidents mailing list archives
RE: CodeRed
From: "Ivan" <ivan () incode com au>
Date: Fri, 20 Jul 2001 13:30:08 +1000
Sounds like allot of infected machines, not sure how accurate that number is. I only began to see these attempts today, and so far its been 8 attempts. Maybe the netblock here in Australia is boring. inetnum: 210.8.0.0 - 210.8.255.255 netname: CONNECT-AU descr: connect.com.au pty ltd descr: Australian Internet Service Provider Ivan -----Original Message----- From: incidents-return-565-ivan=incode.com.au () securityfocus com [mailto:incidents-return-565-ivan=incode.com.au () securityfocus com]On Behalf Of Ryan Russell Sent: Friday, 20 July 2001 11:09 AM To: Dave Laird Cc: incidents () securityfocus com Subject: Re: CodeRed Glad your machine wasn't hit. I'm a bit stunned at the moment by a note to Bugtraq from a guy at LBL who claims that 1.17 Million different IP addresses have tried his address space, meaning that at least that many different IIS boxes have been nailed. I'm rather amazed. Ryan On Thu, 19 Jul 2001, Dave Laird wrote:
Good evening, Ryan... On Thu, 19 Jul 2001, Ryan Russell wrote:You've got the evidence of an attempt (actually, you've probably had plenty of attempts) but there is 0 chance that this worm will work on Apache on Linux as-is. Apache responded with a 404, as it should. The worm uses Windows system calls, and takes advantage of a hole that only exists on IIS. You needn't be concerned.WHEW! While I'm not particularly a newbie, nonetheless when I saw the attempts in my log file, I nearly had a cow in full-blown panic mode. However, what truly set me back on my heels is that, in investigating several of my associates who *do* run IIS, I discovered *most* of them are already infected or have already installed the "patch". This is not good
at
all. I was frankly *stunned* by the potential this worm has to damage if
not
entirely nullify IIS Web Servers everywhere in the world. My extreme thanks to everyone on this list for bringing it to my
attention.
Now I can slip back into relative obscurity, uh... right? 8-) Dave -- Dave Laird (dlaird () kharma net) The Used Kharma Lot Web Page: http://www.kharma.net updated 07/17/2001 Musicians' Calendar: http://www.kharma.net/calendar.html Usenet news server : news://news.kharma.net Fortune Cookie: I must have slipped a disk -- my pack hurts!
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- CodeRed Ryan Russell (Jul 19)
- Re: CodeRed James T Kirk (Jul 20)
- <Possible follow-ups>
- Re: CodeRed Ryan Russell (Jul 19)
- Re: CodeRed Ryan Russell (Jul 19)
- RE: CodeRed Ivan (Jul 19)
- RE: CodeRed Fulton L. Preston Jr. (Jul 19)
- Re: CodeRed Ryan Russell (Jul 20)
- RE: CodeRed Tulchinskiy, Sasha (Jul 20)
- SIRCAM WORM? borakovej (Jul 24)
- Re: SIRCAM WORM? acz [iSecureLabs] (Jul 24)
- SIRCAM WORM? borakovej (Jul 24)
- CodeRed terminator (Jul 21)