Snort mailing list archives

RE: Code Red attacks

From: "Jason Withrow" <jwithrow () mediaone net>
Date: Mon, 17 Sep 2001 07:48:20 -0400

What bother with the email.

Since CR installs a CMD Shell that is freely accessable, 
Write a script that write a text file to that users computer.

- Jason

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Gordon
Ewasiuk
Sent: Monday, September 17, 2001 7:01 AM
To: Peter Borner
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Code Red attacks

On Today, Peter Borner wrote:

Does anyone have any suggestions as to how I can escalate this issue

and

get the owners of the offending machines to clean up their act?


Hi Peter,

There are a few tools that will slow down, redirect, or block code red
probes.  Not sure how effective they are...I was lazy and just filtered
incoming code red probes via a dirty little script that updates ACLs on
my
Foundry switches.

Some links/tools:

I wrote one too, but in awk.  With a shell script add-on.  It's running
on FreeBSD 4.3 with the following added to apache's httpd.conf:
       CustomLog "| /path/to/coderedalert" common

http://www.it.ca/software/coderedalert - build the email
http://www.it.ca/software/ipcontacts - grabs contact emails for the IP

I got my copy from http://www.dasbistro.com/default_ida_info.html

For Apache, try Apache::CodeRed... available from http://www.cpan.org

To download CodeRed Scanner go to:
http://www.eeye.com/html/Research/Tools/codered.html

CCO official release on blocking code red w/ IOS NBAR -
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

There is a useful document at: http://www.incidents.org/diary/diary.php
which offers an explanation of what CRII does and some useful ways on

how

we can stop it eg by filtering at transparent caches etc - worth a

read.

Regards,

-Gordon

--------------------------------------------------
Gordon Ewasiuk, Certifed Sun Fanatic,  Winstar VHC
The REAL office number is here----->  703.893.4901
Tired of BSODs, My Computer, and Code Red?
http://www.sun.com/solaris/binaries/
-------------------------------------------------
  3:50am  up 1 day(s), 19:41,  1 user,  load average: 1.09, 1.15, 1.20



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Code Red attacks Peter Borner (Sep 17)
- Re: Code Red attacks Gordon Ewasiuk (Sep 17)
  - RE: Code Red attacks Jason Withrow (Sep 17)
    - RE: Code Red attacks Gordon Ewasiuk (Sep 17)
    - RE: Code Red attacks Jason Withrow (Sep 17)
    - RE: Code Red attacks Erek Adams (Sep 17)
    - RE: Code Red attacks Randy Bradley (Sep 18)
    - RE: Code Red attacks F.M. Taylor (Sep 18)
    - Re: Code Red attacks Alec Waters (Sep 18)
    - RE: Code Red attacks Erek Adams (Sep 18)
    - RE: Code Red attacks Adrian Mink (Sep 18)
    - RE: Code Red attacks Erek Adams (Sep 18)
    - RE: Code Red attacks Gordon Ewasiuk (Sep 17)

(Thread continues...)