[Dshield] fighting back against CodeRed

Samuel Samuel at socal.rr.com
Wed Aug 8 16:53:20 GMT 2001


A cable-modem ISP can "disconnect" and re-connect a cable-modem using software automatically, as when the bill has not been payed. Supposedly they do it by addressing the MAC address in the cable-modem but that detail is not important. What is important is that it seems very easy for them to do. I assume that the same or something similar can be done for all other connection types.

  ----- Original Message ----- 
  From: Mark Ludwig 
  To: dshield at dshield.org 
  Sent: Wednesday, August 08, 2001 4:49 AM
  Subject: Re: [Dshield] fighting back against CodeRed


  Nevertheless, this still seems to me to be the best approach we can use.  It completely avoids all the legal and moral issues that the White Hat Hacking proposal raises. 
  Vague analogy: protect uninfected machines by quarantining the infected ones. 

  Is this technically feasible?  Seems to me that part of the problem is going to be that the router has to accumulate, in non-volatile storage, information about MAC addresses of infected machines, and require manual intervention to allow communication with those machines ever again.  This also doesn't help the other machines on the subnet, but that's the way it goes, I guess.  (*Shrug*) 

  Mark 

  Mark Martin wrote: 

    BTW, dropping the packets won't impact the attempt. 
    Mark 

    -----Original Message----- 
    From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On 
    Behalf Of Quibell, Marc 
    Sent: Monday, August 06, 2001 2:32 PM 
    To: 'dshield at dshield.org' 
    Subject: RE: [Dshield] fighting back against CodeRed 

    Good idea. I was just thinking on how we can turn this code-red worm back 
    and neutralize the infected machine. But first we must have a way of 
    automatically identifying a code-red attack and then injection of the "Code 
    Red patch code". Or we'll have to do it manually. If any programmer would be 
    kind enough to develop an .exe that would expose the 'backdoor', get in and 
    have the server run the patch via a script file, I'm all for it... In the 
    meantime I'll be concentrating on how to get the routers to drop packets and 
    maybe the code-red, not getting a return reply, will drop its' attempts... 

    _______________________________________________ 
    Dshield mailing list 
    Dshield at dshield.org 
    To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield

  -- 
  "Enjoy your body.  Use it every way you can. 
   Don't be afraid of it or what other people think of it. 
   It's the greatest instrument you'll ever own." 
    -- Mary Schmich via Baz Luhrmann 
    _______________________________________________ Dshield mailing list Dshield at dshield.org To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20010808/5742ccb4/attachment.htm


More information about the list mailing list