[Dshield] Fighting Code Red

Chris Johnson Kris_Johnson at yahoo.com
Wed Aug 8 02:38:28 GMT 2001

I've seen all these elaborate plans to fix CR2 infected machines that skirt 
dangerously close to trespass in the paranoid world of the IT illiterate 
company director, but I think the solution should be closer to "a slap".

Don't try to patch the machine, don't try to disinfect the computer, don't 
try anything that requires too many variables.  I recommend two things.

* Report the probe to a centralised authority that can warn the owner or 
upstream ISP.  Most of us on this list are already doing that.

* Shut down or reboot the infected service or server.

That second move should be a swift move that can be done blind and 
automated.  And it should have no effect on machines that aren't infected.

The real-world analogy is that someone pokes you so you slap them.  Fast 
and with a sting, but with no possibility of permanent damage.

I've been trying to use the scripts/root.exe? exploit to shutdown the IIS 
service using iisreset, but the IIS service by default doesn't had enough 
privileges to run that program.  Perhaps someone else can workout a quick, 
fail-safe way of disabling infected machines without having to spend too 
long in there, and without running the risk of any damage.

Chris A. Johnson http://krisjohn.cjb.net
Kris_Johnson at yahoo.com Mob: 0412 446 312

Sick of problems with e-mail?  Every
attachment a virus?  My ICQ is: 12281057

PGP Key Fingerprint  http://www.pgpi.com
3254 BC93 9D17 C4D0  21DB E050 B69A 8F2A

More information about the list mailing list