[Dshield] Short story/Code Red question

Steve Simek ssimek at captivasoftware.com
Wed Aug 8 18:54:09 GMT 2001


On my way out last night the firewall started logging denied outbound
traffic from our 10.x.y.z net. The traffic was all logged as spoofed source
from 24.4.y.z. all port 80, mostly matching first two octets on
destination... Hmmm. Code Red II? From behind the wall? As you may have
guessed, it turned out to be a user at home on VPN, with VPN checked to use
default gateway on remote network. No one infected since the wall stopped
it, but still of interest.
Now the question. I called the user to advise he was infected. He had a
vanilla W2k machine and didn't bother to patch it since he didn't think IIS
was on. I've read it's on by default. But, not the whole IIS package, I
can't believe that.... Haven't tried it myself.... What's the real answer?




More information about the list mailing list