[Dshield] fighting back against CodeRed

Steve D. Perkins sdp at sdpnet.net
Tue Aug 7 17:36:00 GMT 2001


I second the motion.

Steve

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Scott Howell
Sent: Tuesday, August 07, 2001 11:07 AM
To: dshield at dshield.org
Subject: Re: [Dshield] fighting back against CodeRed


I agree...

You have my vote....

-Scott

-----Original Message-----
From: Paul Marsh <pmarsh at nmefdn.org>
To: 'dshield at dshield.org' <dshield at dshield.org>
Date: Tuesday, August 07, 2001 11:29 AM
Subject: RE: [Dshield] fighting back against CodeRed


>Josh:
>
> I can't agree with you more, I'm really getting tired of seeing this
>stuff in my log especially from the same IP's over and over again.  I think
>this is a very proactive instead of reactive idea, good job let's do it.
>
>Thanx, Paul
>
>
>-----Original Message-----
>From: Josh Ballard [mailto:jballard at cloud.cc.ks.us]
>Sent: Sunday, August 05, 2001 10:38 PM
>To: dshield at dshield.org
>Subject: [Dshield] fighting back against CodeRed
>
>
>I was thinking earlier this evening of how in the heck we are going to deal
>with codered, and I have a possible solution via the backdoor we've been
>given in v2.  If anyone has an idea of how we can force Windows Update to
>run on a machine and reboot when done, then we can start shutting down
these
>v2 worms.  You see, we have the ability to do nearly anything we wish via
>the backdoor in coderedII.  I know this isn't the solution that everyone
>wants, and I know I don't have the skills to do this, but I do have an
idea,
>and we have to start somewhere.  I'm not proposing an anti-worm.  I'm
>proposing a program run on a series of machines that listen for coderedII
>attempts, and when they receive them, neutralize the coderedII worm on the
>attacking host via the backdoor, run a windows update, or run the patch for
>this hole on the attacker, and then reboot the system to bring it back up
>clean of the worm and protected.  It's obvious as of all this time that we
>are simply not going to get every single person in the world to patch their
>machines and disinfect, and in fact we know a lot of these are simply not
>going to be patched unless someone outside does it.  Does anyone else see
>this as a viable solution?  I know this simply isn't the answer we have
been
>looking for, but it may be the best option we have right now.  I know we
>don't really feel like we should start backdooring peoples machines, and we
>start looking at ethics, and I totally believe that these sorts of worms
and
>backdoors are completely unethical, but we have been handed the key to the
>door, and I propose we use it for this "good" purpose before someone else
>starts exploiting it for the worse and blasting us all with millions of
huge
>ping packets or potentially something worse.
>
>Josh Ballard
>oofle.com Linux Firewall Center
>http://www.oofle.com/
>jballard at cloud.cc.ks.us
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www1.dshield.org/mailman/listinfo/dshield
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list