Re: Code Red on dial-in ppp

["Jason A. Mills" <phyxis () rottweiler org>]

I'm not sure I see why a POTS PPP link, or some other slow(er) on demand
link might stop CodeRed. The first-pass payload is under 4096 bytes
including framing, not exactly something you need a lot of low-latency
bandwidth to push through. :-/

-J


On Sat, 21 Jul 2001, Mitch Halmu wrote:

> You may have received the following from codered () securityfocus com
>
> This mail is from the ARIS Analyzer Service (Attack Registry and
> Intelligence Service) from SecurityFocus. It has come to our attention
> that your system(s), listed below have been identified as being
> compromised by the Code Red Worm.  The Code Red Worm is rapidly
> spreading across the Internet, compromising vulnerable Windows NT IIS
> servers.
>
> The addresses identified as belonging to you are as follows:
>
> [ dynamic dial-in ip ]
> [ dynamic dial-in ip ]
>
> [snip]
>
> This makes me think that the worm is capable to infect not only
> dedicated web servers, but also dial-in customers running ppp that
> happen to be online when the attack occurs. NetSide is an all Sun
> sparc shop and we don't have any Windows based machines, but I can see
> this worm being alive and spreading for a long time if dial-in users
> are affected.
>
> Unfortunately, they don't provide a date and time stamp, so
> identifying the actual user is not possible. I can provide web server
> log extracts to whomever collects/analyzes such information (John O.,
> sorry but you're bouncing my email - get rid of MAPS).
>
> --Mitch
> NetSide



             Jason A. Mills           phyxis () rottweiler org
             ----------------------------------------------
              "La morale est la faiblesse de la cervelle."
                 Arthur Rimbaud --- Une Saison en Enfer