nanog mailing list archives
Code Red seemingly on firewall (Re: Code Red on dial-in ppp)
From: "E.B. Dreger" <eddy+public+spam () noc everquick net>
Date: Sat, 21 Jul 2001 18:40:11 +0000 (GMT)
Date: Sat, 21 Jul 2001 10:40:47 -0400 (EDT) From: Mitch Halmu <mitch () netside net> To: nanog () merit edu Subject: Code Red on dial-in ppp You may have received the following from codered () securityfocus com
[ snip ] One of our clients received said message noting that CR might be on their Watchguard firewall -- which has no service listening on port 80. Here's what I think happened: * CodeRed infects IP addr 1.2.3.4 (some valid public IP) * IP addr 1.2.3.4 is bound as secondary, with RFC1918 as primary * Said server is behind NAT-providing firewall * When infected server contacts the outside world, it uses the private IP, which the firewall then masquerades. This client has several NT boxen behind their firewallo so who knows which the culprit is -- or are. Just an FYI that will hopefully help others who encounter similar situations. Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence ---------------------------------------------------------------------------
Current thread:
- Code Red on dial-in ppp Mitch Halmu (Jul 21)
- Re: Code Red on dial-in ppp Jason A. Mills (Jul 21)
- Re: Code Red on dial-in ppp Mitch Halmu (Jul 21)
- Re: Code Red on dial-in ppp up (Jul 21)
- Re: Code Red on dial-in ppp Damon M. Conway (Jul 21)
- Re: Code Red on dial-in ppp Chris Adams (Jul 21)
- Re: Code Red on dial-in ppp John Kristoff (Jul 21)
- Re: Code Red on dial-in ppp Keith Woodworth (Jul 21)
- Re: Code Red on dial-in ppp Mitch Halmu (Jul 21)
- Code Red seemingly on firewall (Re: Code Red on dial-in ppp) E.B. Dreger (Jul 21)
- Re: Code Red on dial-in ppp Jason A. Mills (Jul 21)