I have sent about 5000+ emails over the last week to systems very likely infected with the Red Alert Virus (based on data collected by DShield.org). It was the first time in the 6+ months I am running that service now, that I got flooded with abusive e-mail because I attempted to notify sysadmins that there machine was hacked. Many did just not understand, that even though the report indicated a hit against port 80, it is not 'usual web traffic'. If you have a web server, there is no need for it to hit port 80 on random machines. Also, how hard is it to check if a machine is ok or not? The Code Red was not very obvious to spot, and it took us a couple of days to find out what was going on. But if someone tells you that a machine on your network is doing something that is perceived as unusual, why not take a quick look. In short, as long as sysadmins don't start to care and get there systems up to date, things like this will continue to happen. I was lucky that the main submitters of the data where very patient with the abusive responses and took the time to respond to them individually. We are not talking about home users here, that installed the latest magic 'improve your modem speed' virus. Well, I won't give up. I am sure the 'Dark Red Alert' is just around the corner waiting.. And I don't mind playing 'whack the worm' for a while. We could send 'RMV's to all Subsevens, or 'noworm' files to all IIS servers. But the next worm will not care... and if someone has no virus scanner they will get reinfected with subseven on there next visit to IRC. .... > 1) There is something of an ongoing log of affected machines that can be > obtained from boxes earlier in the IP list. > 2) Machines which have been compromised can STILL be compromised. > 3) The worm has a "lysine deficiency" which can be remotely introduced. ..... > > Ben Lard > University of Colorado, Boulder > > -- ------- jullrichat_private Join http://www.DShield.org Distributed Intrusion Detection System
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 22:51:57 PDT