Re: Full analysis of the .ida "Code Red" worm.

• Previous message: Tony Langdon: "RE: Mitigating some of the effects of the Code Red worm"
• In reply to: Laurence Hand: "Re: Full analysis of the .ida "Code Red" worm."
• Next in thread: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
• Reply: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 19 Jul 2001, Laurence Hand wrote:

>
> I know MS watches this list, so I hope they will be checking their
> servers before this starts the DDOS tomorrow.
>

I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC,
the next day).  I was getting 5-10 attempts an hour, and I've had 0
since 4:43:29 PDT.

Folks will notice that www.whitehouse.gov is still accessible.  The worm
authors only put in one IP address, the one for www1.whitehouse.gov.  BBN
(who appears to be the provider for whitehouse.gov, according to my
tracert) has blocked that single IP address at their peering points.  So
www2.whitehouse.gov is still running just fine.

Presumably, www.whitehouse.gov used to be RR DNS between the two.  Now,
www.whitehouse.gov resolves to just 198.137.240.92, and it has a TTL of
only 872.

For a relatively clever worm, the author sure screwed up his target list.
Whoops.

					Ryan

• Next message: Stephen Cimarelli: "Re: 'Code Red' does not seem to be scanning for IIS"
• Previous message: Tony Langdon: "RE: Mitigating some of the effects of the Code Red worm"
• In reply to: Laurence Hand: "Re: Full analysis of the .ida "Code Red" worm."
• Next in thread: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
• Reply: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 21:40:31 PDT