[Dshieldannounce] Code Red F

Johannes Ullrich jullrich at euclidian.com
Wed Mar 12 22:40:31 UTC 2003

   We are tracking a new variation of our old friend Code Red.
This version appears to use the same .ida overflow as the
original Code Red. However, reports indicate that it installs
a backdoor as well.

   So far, we see approximately twice the number of sources as
we usually have this time of the month. Last month, we tracked
about 30,000 Code Red infected machines scanning from March 1st
to March 19th. So far, we see more than 50,000 systems scanning 
port 80, in addition to our continuous background of 13,000 sources.

   At this time, I am not planning on raising the infocon to yellow,
as this appears to be essentially a variation of an old threat and
it is unlikely that we will alert anybody new. I do not expect any
widespread effects on network performance.

   Please verify that all IIS servers are patched and unnecessary
file type associations are removed. Filtering port 80 is recommend
if possible.

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

More information about the Dshieldannounce mailing list