North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Code Red 2 cleanup; reporting..

  • From: Etaoin Shrdlu
  • Date: Fri Aug 10 00:30:06 2001

mike harrison wrote:
> > FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II
> > probes from, and didn't get a shell prompt on any of them. Are people
> > cleaning up their boxes that quickly?
> I have been told, but not personally conformed confirmed of non IIS
> machines being infected with CodeRed (I or II not known, assume II).
> Infection method: running an file from somewhere? They still scan out
> and seek victims, just no webserver running.

Spent nearly two days convincing someone who was managing a server that he
was beating up machines all over the company. It finally took someone at
close to VP level to get him to fix it. Last I heard, he was saying
something on the phone like "Yes sir, you're right sir. Sorry sir." The
thing that sucks is that he KNEW he couldn't be a problem, since he wasn't
running IIS. I had the packet captures and obvious grabs for default.ida to
prove it.

Believe it. I have at least three verified, and that was using web server
logs they'd hit, and ethereal running on the openbsd machine in my office,
which sits right next to the local building router. [Yes, it's true. IRL, I
work for Big Company X.]

No, sorry, lots of people are not cleaning up machines. I'm still being hit
at home by the same machines I got hit by when this first started, for the
most part. Sure, some of them are gone, but some are sure still here.

Open source should be about giving away things voluntarily. When
you force someone to give you something, it's no longer giving, it's
stealing. Persons of leisurely moral growth often confuse giving with
taking.    -- Larry Wall