[Dshield] Fighting Code Red
Kris_Johnson at yahoo.com
Wed Aug 8 02:38:28 GMT 2001
I've seen all these elaborate plans to fix CR2 infected machines that skirt
dangerously close to trespass in the paranoid world of the IT illiterate
company director, but I think the solution should be closer to "a slap".
Don't try to patch the machine, don't try to disinfect the computer, don't
try anything that requires too many variables. I recommend two things.
* Report the probe to a centralised authority that can warn the owner or
upstream ISP. Most of us on this list are already doing that.
* Shut down or reboot the infected service or server.
That second move should be a swift move that can be done blind and
automated. And it should have no effect on machines that aren't infected.
The real-world analogy is that someone pokes you so you slap them. Fast
and with a sting, but with no possibility of permanent damage.
I've been trying to use the scripts/root.exe? exploit to shutdown the IIS
service using iisreset, but the IIS service by default doesn't had enough
privileges to run that program. Perhaps someone else can workout a quick,
fail-safe way of disabling infected machines without having to spend too
long in there, and without running the risk of any damage.
Chris A. Johnson http://krisjohn.cjb.net
Kris_Johnson at yahoo.com Mob: 0412 446 312
Sick of problems with e-mail? Every
attachment a virus? My ICQ is: 12281057
PGP Key Fingerprint http://www.pgpi.com
3254 BC93 9D17 C4D0 21DB E050 B69A 8F2A
More information about the list