Re: Code Red 2 cleanup; reporting..

["Steven M. Bellovin" <smb () research att com>]

In message <3B7360B4.71755CA7 () deaddrop org>, Etaoin Shrdlu writes:
> mike harrison wrote:
> > > FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II
> > > probes from, and didn't get a shell prompt on any of them. Are people
> > > cleaning up their boxes that quickly?
> >
> > I have been told, but not personally conformed confirmed of non IIS
> > machines being infected with CodeRed (I or II not known, assume II).
> > Infection method: running an file from somewhere? They still scan out
> > and seek victims, just no webserver running.
>
> Spent nearly two days convincing someone who was managing a server that he
> was beating up machines all over the company. It finally took someone at
> close to VP level to get him to fix it. Last I heard, he was saying
> something on the phone like "Yes sir, you're right sir. Sorry sir." The
> thing that sucks is that he KNEW he couldn't be a problem, since he wasn't
> running IIS. I had the packet captures and obvious grabs for default.ida to
> prove it.
>
> Believe it. I have at least three verified, and that was using web server
> logs they'd hit, and ethereal running on the openbsd machine in my office,
> which sits right next to the local building router. [Yes, it's true. IRL, I
> work for Big Company X.]

So -- if he wasn't running IIS, what was he running?

                --Steve Bellovin, http://www.research.att.com/~smb