North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Code Red 2 cleanup; reporting..

  • From: Mike Lewinski
  • Date: Fri Aug 10 00:41:49 2001

"Christopher A. Woodfield"  wrote:

> > FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red
> > probes from, and didn't get a shell prompt on any of them. Are people
> > cleaning up their boxes that quickly?

Did you telnet to port 80 and make a specific http GET request for the
root.exe? It isn't just sitting there in the open....

Another possibility if you actually did that and didn't get the shell is the
(unlikely) event that the admin actually had forethought to limit the ACL's
on their system directory and the worm couldn't copy the needed file
(unlikely because someone who knows enough to do that would have already

Then "mike harrison" wrote:

> I have been told, but not personally conformed confirmed of non IIS
> machines being infected with CodeRed (I or II not known, assume II).
> Infection method: running an file from somewhere? They still scan out
> and seek victims, just no webserver running.

I highly doubt this. The vulnerability is very specific to IIS servers, and
unless a new hybrid worm has been released, it's just not possible.

Also note that @Home is now blocking incoming port 80 connections. This will
prevent further infections inbound on their (residential) network, but does
nothing to prevent already compromised hosts from continuing to scan the
rest of the net. This is the most likely reason for seeing scans that don't
look like they are originating from IIS servers. The next most likely reason
is that the worm has totally hosed IIS.

Another possibility is having one public server connected to a LAN that then
infects everything else behind it's firewall.

At this point, you can't deduce necessarily deduce anything from an
inability to connect on port 80 to an infected host.