[Dshield] Notes from the field about CR going into Hibernation ?

Robert robert at chalmers.com.au
Thu Aug 9 21:55:49 GMT 2001

had the same probelm. Thousands of IP numbers, addresses etc, and no
apparent way of contacting anyone responsible for them.

It's no wonder the Internet get attacked by every 13 year old with delusions
of grandure. The lights are on, but nobody is home!

Surrely there is some governing body - ARIN/APNIC etc who can trace down on
this problem, after all isn't that why so much money is paid to these
organisations ?


> It's true...
> some progress has been made to eradicate the CodeRed3 virus in many
> companies and
> it seems (KNOCK ON ROUTER) that the Internet is starting to stabilize. A
> hopeful note is
> that several major corporations have privately reported that their
> situations are starting
> to improve as offices have contained the problem.
> I am told to understand the latest version of the virus is set to
> "hibernate" shortly and
> it will be interesting to see, if and when it happens. However, it will
> leave many systems
> in an infected or still exposed state for re-infection. If these systems
> unpatched and virus detection is not implemented in the near future, we
> stand to see a fractional repeat of this
> incident in the future.
> Surprisingly, there are still quite a few Sys-Admins who have not taken
> steps, issued
> by MS, SANS, Unisys and others, to apply the necessary patches and
> anti-virus software.
> As a public effort, I have had my security team collect about 1800+
> attacking IP's, of which
> only 300 were "traceable" HARD IP address servers (non-DHCP). In our spare
> time, the team
> has started trying to contact these sites to warn them and point them to
> patches and
> support URL's.
> One of the biggest issues the team is faced with is that we are finding
> point of contact information for about 25% of the sites is an ISP block of
> addresses, invalid, or wrong.
> Of those, we can trace, about 1/4 or so have never replied to calls or
> in 2+ days.
> About 1/2 or so have auto-bots asking for more info, despite us providing
> trace logs with DNS-NAME, IP, System Name, Traceroute, Group ID, and etc..
> There is hope, we are able to contact
> about 1/4 and speak to a human voice.
> As a bonus, we have collected some real funny stories along the way, in
> trying to help.
> Sincerely,
> ____________
> John Kida
> North America Director of Enterprise Security Solutions
> Unisys, Corp.
> "Security & Trust are things that must be reassessed on a regular basis"
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list