Vulnerability Development mailing list archives
RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
From: "Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>
Date: Fri, 7 Sep 2001 09:14:13 +0100
That is a policy adopted by some ISPs here in the UK, such as Blueyonder & NTL - if they discover codered traffic from your IP they shut your access down. Except I can see them reversing this policy the next time this happens, due to the amount of complaints to both them and Trading Standards (UK Government organisation that tries to prevent corporations ripping off consumers) from ppl who have no clue what they are doing but know they've lost access to "that internet thing I pay for". Time and money, time and money.... Also just to the poster who made a comment about IIS availability and boxes going down, surely if your IIS system is critical 99.9% you have it running in a cluster of some shape or form? IIS goes down of its own accord all the time, it doesn't need a worm to help it on it's way ;) Ian Kayne Technical Specialist - IT Solutions Softlab Ltd - A BMW Company
-----Original Message----- From: Stanley G. Bubrouski [mailto:stan () ccs neu edu] Sent: Friday, September 07, 2001 1:33 AM To: Emre Yildirim Cc: Kev; vuln-dev () securityfocus com Subject: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) On Thu, 6 Sep 2001, Emre Yildirim wrote:Kev wrote:Unfortunately, all the world's not the USA (much to thechagrin of manyof my fellow citizens, it seems). Also, there are many,many, manyclueless admins out there; anybody that has to deal withscript kiddiesknows just how often Korean (for instance) hosts arebroken into and usedfor all sorts of nefarious purposes. 90% of the time,I'm unable to evenreport spam to the open relays in that country, becausenot only ispostmaster@ not even present, the contacts listed inwhois.nic.or.kr justpoint into never-never land. I fear we will never seethe end of thisparticular problem :/I know what you mean. I had to deal with lots of attacks &probes from*ac.kr myself. I think a long time ago there was a discussion on incidents@ (I think, I'm not sure) suggesting to createrouter ACL'swith korean/offending IP numbers to block them completely from the Internet (similar to e-mail anti-spam lists). But then again, that defeats the purpose of the internet (to communicate aroundthe world).As long as admins aren't educated and made aware of theseproblems, it'snot going to change at all. But I'm not completely sure ifinfectingsystems with a counter-worm is the solution either. Likesome peoplealready pointed out, it does consume lots of bandwidth,sets off IDSs,and irritates people who have Apache servers, whose logsget clogged upby these obsolete requests. Code Red is going to die out sometime eventually, just like Melissa did...so I'm not worriedabout it much. It may sound unreasonable but using access-lists on routers on routers is great way for companies and providers to stop the spread of Code Red. By blockign all traffic from a person's machine they are then forced to call their provider's tech support to report they lost their connection. The provider then can inform the customer they are infected, explain to them they must patch their system, remove them from the ACLs, wait 24 hours and if they show signs they are patched then do not reapply the ACL. Anotehr way is to turn on router and firewall logging and use ACLs to log http traffic and filter out Code Red infected users and call them and e-mail them the patches. This doesn't block the user from accessing the network like the first method does, but it also doesn't prevent the infected user from infecting more people on the net and congesting the network. Regards, Stan -- Stan Bubrouski stan () ccs neu edu 23 Westmoreland Road, Hingham, MA 02043 Cell: (617) 835-3284Cheers -- Emre Yildirim <emre () asper org> GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)
******************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use of the information contained within this email or attachments is strictly prohibited. Internet communications are not secure and Softlab does not accept any legal responsibility for the content of this message. Any opinions expressed in the email are those of the individual and not necessarily those of the Company. If you have received this email in error, or if you are concerned with the content of this email please notify the IT helpdesk by telephone on +44 (0)121 788 5480. ********************************************************************
Current thread:
- Re: coding (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.), (continued)
- Re: coding (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Chip Carpenter (Sep 07)
- Re: coding (was: Re: CodeGreen beta release(idq-patcher/antiCodeRed/etc.) Meritt James (Sep 07)
- RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Hire, Ejay (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) .MetsyS. (Sep 06)
- RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Alexander Sarras (SEA) (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Ron DuFresne (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) S (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Meritt James (Sep 07)
- RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Stanley G. Bubrouski (Sep 07)
- RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Dom De Vitto (Sep 07)
- let others do it (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Meritt James (Sep 07)
- RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Ron DuFresne (Sep 08)