[Dshield] Various Updates

Johannes B. Ullrich jullrich at euclidian.com
Wed Aug 8 14:39:56 GMT 2001

  First of all thank you to everyone for providing such a good coverage of
Code Red events. This is surely a time where we hope to make a difference.
Your logs have been very helpful.

  Some general notes regarding the high traffic on this list and the web

- Please do only include relevant quotes from prior mails.
- Some mail systems reject mail if they include part of the code red
  signature. I don't want to recommend not posting any signatures you
  may find in your logs. But you may want to send two mails if your
  mail has ocntent beyond the signature.
- Fightback: Please do not attack systems that scan you. You are on
  very shacky legal ground.
- Time Sync: There are a lot of new log submitters. Please make sure
  your system clocks are in sync. We provide a little tool to help:
  The page http://www1.dshield.org/timestamp.php will send a packet
  to your computer that should be logged by your firewall. Later,
  when you submit the log, it will send you an e-mail indicating the
- DB Maintentance: I did some extensive DB tuning last night. Sorry if
  your login was rejected during that time.

  For port 80 (Code Red) submissions, you will not receive the usual
fightback confirmation email. I will send lists with IP addresses to ISPs
in one email, not the 1 email per event method most ISPs prefer usually.

  Some ISPs started to block incoming port 80 requests (@home,
RoadRunner). As a result, you may see a slowdown in Code Red attacks.

  If you have been infected by Code Red: Be very careful! The latest
version will install a back door on your system giving attackers full
access. The standard Code Red removal tools will only remove the damage
code red did. However, the backdoor will allow others to connect and
change additional files. I strongly recommend to reinstall from scratch
(and don't forget to apply the patches). Do not connect the system to any
network prior to installing the patches.

jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

More information about the list mailing list