[Dshield] Intelligent Code Red - 45 seconds to infect and deploy

Dalantech john at dalantech.com
Thu Aug 2 19:52:17 GMT 2001

With all the parties concerned: May I post your email in the news at
www.dalantech.com ?


John (aka Dalantech)

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Thompson, John J
Sent: Thursday, August 02, 2001 8:53 PM
To: 'dshield at dshield.org'; 'incidents at securityfocus.com'
Subject: [Dshield] Intelligent Code Red - 45 seconds to infect and

Rapid infection, rapid deployment. All in 45 seconds.

I just finished a clean install of windows2000 for our website. I had
enabled ip filtering blocking all but 137-139, and 80. Then I needed to get
to my file server to download black ice and the patch for code red. That
file copy took no more than 45 seconds. I then installed black ice and the
patch. Before I restarted, I opened black ice to set the advanced filters.
In less than 20 seconds, my machine was attacking 9 hosts before I could
pull the plug.

My machine was attacked, infected, and then was attacking others during less
than a minute of connection to the network. Amazingly, this machine was the
only one attacked. My 5 other win2k servers and active web server didn't
flag a single attack. How is code red finding the vulnerable system without
touching other systems on the same network and infecting it and deploying
itself within 45 seconds???



John Thompson
Network Administrator
Dept. of Biochemistry
University of Iowa

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list