Snort mailing list archives
RE: Code Red attacks
From: "Jason Withrow" <jwithrow () mediaone net>
Date: Mon, 17 Sep 2001 07:48:20 -0400
What bother with the email. Since CR installs a CMD Shell that is freely accessable, Write a script that write a text file to that users computer. - Jason -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Gordon Ewasiuk Sent: Monday, September 17, 2001 7:01 AM To: Peter Borner Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Code Red attacks On Today, Peter Borner wrote:
Does anyone have any suggestions as to how I can escalate this issue
and
get the owners of the offending machines to clean up their act?
Hi Peter, There are a few tools that will slow down, redirect, or block code red probes. Not sure how effective they are...I was lazy and just filtered incoming code red probes via a dirty little script that updates ACLs on my Foundry switches. Some links/tools:
I wrote one too, but in awk. With a shell script add-on. It's running on FreeBSD 4.3 with the following added to apache's httpd.conf: CustomLog "| /path/to/coderedalert" common http://www.it.ca/software/coderedalert - build the email http://www.it.ca/software/ipcontacts - grabs contact emails for the IP
I got my copy from http://www.dasbistro.com/default_ida_info.html For Apache, try Apache::CodeRed... available from http://www.cpan.org
To download CodeRed Scanner go to: http://www.eeye.com/html/Research/Tools/codered.html
CCO official release on blocking code red w/ IOS NBAR - http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
There is a useful document at: http://www.incidents.org/diary/diary.php which offers an explanation of what CRII does and some useful ways on
how
we can stop it eg by filtering at transparent caches etc - worth a
read. Regards, -Gordon -------------------------------------------------- Gordon Ewasiuk, Certifed Sun Fanatic, Winstar VHC The REAL office number is here-----> 703.893.4901 Tired of BSODs, My Computer, and Code Red? http://www.sun.com/solaris/binaries/ ------------------------------------------------- 3:50am up 1 day(s), 19:41, 1 user, load average: 1.09, 1.15, 1.20 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Code Red attacks Peter Borner (Sep 17)
- Re: Code Red attacks Gordon Ewasiuk (Sep 17)
- RE: Code Red attacks Jason Withrow (Sep 17)
- RE: Code Red attacks Gordon Ewasiuk (Sep 17)
- RE: Code Red attacks Jason Withrow (Sep 17)
- RE: Code Red attacks Erek Adams (Sep 17)
- RE: Code Red attacks Randy Bradley (Sep 18)
- RE: Code Red attacks F.M. Taylor (Sep 18)
- Re: Code Red attacks Alec Waters (Sep 18)
- RE: Code Red attacks Erek Adams (Sep 18)
- RE: Code Red attacks Adrian Mink (Sep 18)
- RE: Code Red attacks Erek Adams (Sep 18)
- RE: Code Red attacks Jason Withrow (Sep 17)
- Re: Code Red attacks Gordon Ewasiuk (Sep 17)
- RE: Code Red attacks Gordon Ewasiuk (Sep 17)