North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Code Red : Any whitehouse.gov people around?
If you read through eEye's disasm dump, you can find that it's hardcoded to the ip of www1.whitehouse.gov, which I don't remember but ends in .91 On Fri, 20 Jul 2001, Dave Stewart wrote: > > At 10:04 AM 7/20/2001, Mike Najarian wrote: > > >Has anyone gutted an infected box to determine whether it's going to go for > > whitehouse.gov > > www.whitehouse.gov > >or a hardcoded IP? > > While there's incomplete information available in the standard places, it > appears to be a hardcoded IP. > > I, along with many others, have null routed it.... Symantec's site claims > the IP address is no longer active at any rate. > > It *appears* that from xx-20-xxxx through xx-28-xxxx, this thing will > attack that IP address... meaning that measures already in place will > minimize damage from the portion of the code that attempts to flood > 198.137.240.91. Networks where 198.137.240.91 isn't blocked could see > network congestion, I suppose, if they host a large number of infected > machines. > > I've seen a claim that if the date is greater than 28, the threads just go > into an infinite sleep. > > From what I can see, I would expect another round of probes to take place > starting on 01-August-2001... > > > Laurence Berland http://www.isp.northwestern.edu
|