nanog mailing list archives
Re: Code Red 2 cleanup; reporting..
From: "Mike Lewinski" <mike () rockynet com>
Date: Thu, 9 Aug 2001 22:39:05 -0600
"Christopher A. Woodfield" wrote:
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red
II
probes from, and didn't get a shell prompt on any of them. Are people cleaning up their boxes that quickly?
Did you telnet to port 80 and make a specific http GET request for the root.exe? It isn't just sitting there in the open.... Another possibility if you actually did that and didn't get the shell is the (unlikely) event that the admin actually had forethought to limit the ACL's on their system directory and the worm couldn't copy the needed file (unlikely because someone who knows enough to do that would have already patched). Then "mike harrison" wrote:
I have been told, but not personally conformed confirmed of non IIS machines being infected with CodeRed (I or II not known, assume II). Infection method: running an file from somewhere? They still scan out and seek victims, just no webserver running.
I highly doubt this. The vulnerability is very specific to IIS servers, and unless a new hybrid worm has been released, it's just not possible. Also note that @Home is now blocking incoming port 80 connections. This will prevent further infections inbound on their (residential) network, but does nothing to prevent already compromised hosts from continuing to scan the rest of the net. This is the most likely reason for seeing scans that don't look like they are originating from IIS servers. The next most likely reason is that the worm has totally hosed IIS. Another possibility is having one public server connected to a LAN that then infects everything else behind it's firewall. At this point, you can't deduce necessarily deduce anything from an inability to connect on port 80 to an infected host. Mike
Current thread:
- Code Red 2 cleanup; reporting.. z (Aug 08)
- RE: Code Red 2 cleanup; reporting.. Mathias Körber (Aug 08)
- RE: Code Red 2 cleanup; reporting.. z (Aug 08)
- Re: Code Red 2 cleanup; reporting.. Andrew McNamara (Aug 09)
- Re: Code Red 2 cleanup; reporting.. Ryan Tucker (Aug 09)
- RE: Code Red 2 cleanup; reporting.. z (Aug 08)
- Re: Code Red 2 cleanup; reporting.. Christopher A. Woodfield (Aug 09)
- Re: Code Red 2 cleanup; reporting.. mike harrison (Aug 09)
- Re: Code Red 2 cleanup; reporting.. Etaoin Shrdlu (Aug 09)
- Re: Code Red 2 cleanup; reporting.. mike harrison (Aug 09)
- Was: Code Red 2 cleanup -- SHOULD NSPs PULL THE PLUG? Solutions? z (Aug 10)
- Re: Code Red 2 cleanup; reporting.. Mike Lewinski (Aug 09)
- Re: Code Red 2 cleanup; reporting.. Larry Diffey (Aug 09)
- RE: Code Red 2 cleanup; reporting.. Mathias Körber (Aug 08)
- <Possible follow-ups>
- Re: Code Red 2 cleanup; reporting.. Steven M. Bellovin (Aug 10)
- Re: Code Red 2 cleanup; reporting.. mike harrison (Aug 11)
- Re: Code Red 2 cleanup; reporting.. David Lesher (Aug 12)
- Re: Code Red 2 cleanup; reporting.. mike harrison (Aug 11)
- Re: Code Red 2 cleanup; reporting.. Steven M. Bellovin (Aug 10)
- Re: Code Red 2 cleanup; reporting.. Etaoin Shrdlu (Aug 10)
- Re: Code Red 2 cleanup; reporting.. Valdis . Kletnieks (Aug 10)
- Re: Code Red 2 cleanup; reporting.. Etaoin Shrdlu (Aug 10)
- Re: Code Red 2 cleanup; reporting.. Etaoin Shrdlu (Aug 10)