[Dshield] fighting back against CodeRed

Paul Brogden paul_brogden at lexmultipart.com
Tue Aug 7 15:10:03 GMT 2001


Would these people pay any attention to an anonymous message when they have
already ignored all the warnings from M$, Cert, et al?

What frightens me is that I'm taking a lot of hits from boxes hosted by my
own ISP (normal user's websites, not commercial sites) and that British
Telecom itself was infected (when I called to order ADSL last night I was
told they would call me back - their computers were down because of that
"red worm thing"!).

If the major companies can't get it right ...

As for what can be done with all those boxes - I reckon Steve Gibson is
using them to show The Register (www.theregister.co.uk) the power of raw
sockets - the site has been strangely unavailable all day. <g>

Paul

> -----Original Message-----
> From:	Peter Street [SMTP:lazerfx at ntlworld.com]
> Sent:	Monday, August 06, 2001 9:30 PM
> To:	dshield at dshield.org
> Subject:	RE: [Dshield] fighting back against CodeRed
> 
> ------ Quote
> I'm proposing a program run on a series of machines that listen for
> coderedII
> attempts, and when they receive them, neutralize the coderedII worm on the
> attacking host via the backdoor, run a windows update, or run the patch
> for
> this hole on the attacker, and then reboot the system to bring it back up
> clean of the worm and protected
> ------ /Quote
> 
> I can appreciate this, however, perhaps it would be worthwhile to send
> them
> a message?  Instead of actually backdooring the machine outright, running
> code on it that could, potentially, screw up the machine (Yes, I know the
> possibility is very small, but there is always the chance), why don't we
> use
> the backdoor to send a message to the user, something like, 'You are
> compromised by the CodeRedII virus, get the update from
> windowsupdate.microsoft.com' or similar?
> 
> I'm sure this is possible using access to cmd.exe, and it appears this is
> what the CR-II virus gives you.  I shudder to think what some malicious
> hacker could do to those systems...
> 
> Peter Street / LazerFX
> Creator [http://discworld.imaginary.com]
> Web Developer - Freelance.
> ASP, XML, XSLT, C++, Delphi, DB2, SQL
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield


***********************************

Unless explicitly stated otherwise, the views expressed
in this email are personal and may not reflect those of
Lex Multipart. This e-mail and any attachments transmitted
with it are confidential and intended solely for the use
of the individual or entity to whom they are addressed.
If you have any concerns about the appropriate use of
this account or have received this email in error, then
please notify postmaster at lexmultipart.com

For more information about Lex Multipart go to 
http://www.lexmultipart.com
http://www.lex.co.uk

(c)2001 - Lex Multipart

***********************************
.




More information about the list mailing list