[Dshield] fighting back against CodeRed
security at admin.fulgan.com
Tue Aug 7 16:45:40 GMT 2001
PB> Would these people pay any attention to an anonymous message when
PB> they have already ignored all the warnings from M$, Cert, et al?
If it comes directly from their ISP, maybe... Don't forget that most
infected hosts are owned by ppl that have no clue about the threat. In
such circumstances, it is important to have, not a "generic" warning
but a specific, targeted warning addressed to THEM personally from
someone they trust.
PB> What frightens me is that I'm taking a lot of hits from boxes hosted by my
PB> own ISP (normal user's websites, not commercial sites) and that British
PB> Telecom itself was infected (when I called to order ADSL last night I was
PB> told they would call me back - their computers were down because of that
PB> "red worm thing"!).
Don't forget the new version of Code red has a strong tendency to
attack machines and the same network (See eeye disassembly of the worm
for an explanation of how the IPs to scan are selected).
And, by now, chance are most of the managed servers have been patched
and, for the next few month, their lazy admins might get a bit better
at their job. The real problem are unmanaged machines: the own owned
by ppl that have no idea they've been rooted and won't notice it until
someone erases their photo album, changes their wallpaper and filled
their disk with MP3s...
PB> If the major companies can't get it right ...
PB> As for what can be done with all those boxes - I reckon Steve Gibson is
PB> using them to show The Register (www.theregister.co.uk) the power of raw
PB> sockets - the site has been strangely unavailable all day. <g>
Well, to be honest, that's what I'm most afraid of: not the worm
itself, but the hundred of thousands of now widely open boxes that
will very shortly be turned into new Zombies for DDOS attacks (with
spoofing on, this time, this is win2k, after all).
Good luck, Stephane
More information about the list