[Dshield] fighting back against CodeRed
Samuel at socal.rr.com
Wed Aug 8 16:53:20 GMT 2001
A cable-modem ISP can "disconnect" and re-connect a cable-modem using software automatically, as when the bill has not been payed. Supposedly they do it by addressing the MAC address in the cable-modem but that detail is not important. What is important is that it seems very easy for them to do. I assume that the same or something similar can be done for all other connection types.
----- Original Message -----
From: Mark Ludwig
To: dshield at dshield.org
Sent: Wednesday, August 08, 2001 4:49 AM
Subject: Re: [Dshield] fighting back against CodeRed
Nevertheless, this still seems to me to be the best approach we can use. It completely avoids all the legal and moral issues that the White Hat Hacking proposal raises.
Vague analogy: protect uninfected machines by quarantining the infected ones.
Is this technically feasible? Seems to me that part of the problem is going to be that the router has to accumulate, in non-volatile storage, information about MAC addresses of infected machines, and require manual intervention to allow communication with those machines ever again. This also doesn't help the other machines on the subnet, but that's the way it goes, I guess. (*Shrug*)
Mark Martin wrote:
BTW, dropping the packets won't impact the attempt.
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Quibell, Marc
Sent: Monday, August 06, 2001 2:32 PM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] fighting back against CodeRed
Good idea. I was just thinking on how we can turn this code-red worm back
and neutralize the infected machine. But first we must have a way of
automatically identifying a code-red attack and then injection of the "Code
Red patch code". Or we'll have to do it manually. If any programmer would be
kind enough to develop an .exe that would expose the 'backdoor', get in and
have the server run the patch via a script file, I'm all for it... In the
meantime I'll be concentrating on how to get the routers to drop packets and
maybe the code-red, not getting a return reply, will drop its' attempts...
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
"Enjoy your body. Use it every way you can.
Don't be afraid of it or what other people think of it.
It's the greatest instrument you'll ever own."
-- Mary Schmich via Baz Luhrmann
_______________________________________________ Dshield mailing list Dshield at dshield.org To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the list