At 10:24 AM 7/23/2001, Kuo, Jimmy wrote: >Yes, those too. And number of other web enabled interfaces. > >Things will be quiet until the 1st of August. You have until then to >pressure whichever providers to fix whatever broke. > >(I was away from home throughout all this. I don't even know if my own DSL >box will stand up.) > >When you say "y'day", did you mean 7/22? Yes. > Things should have been quiet >since 7/19 5PM PDT. The user was away and didn't report the problem until yesterday. It appears that the modem may have wedged on 7/14 or thereabouts (by inference from the date/time of the email traffic that arrived once the modem was unwedged), but I don't think we can pin point it accurately. > If indeed it was yesterday and lots more people >experience this, we have to keep an eye out for another worm. Hope it's >just coincidence. Sorry to have caused potential confusion...I don't think it's YAW (yet another worm). A. >Jimmy > >-----Original Message----- >From: Andy Johnson-Laird >To: Kuo, Jimmy; 'Jimmy Sadri '; 'George Heuston ' >Cc: ''crime@private' ' >Sent: 7/23/01 10:19 AM >Subject: RE: Worm's Potential > >I had an instance y'day where a Qwest DSL modem was wedged and, on >calling Qwests main support number, the greeting message indicated they >were seeing instances of this virus wedging modems...the fix >(fortunately) was just to power cycle the modem. I did this and the >modem re-started normal operation. > >Andy > >At 06:27 PM 7/21/2001, Kuo, Jimmy wrote: >>sigh >> >>The worm sent packets to every IP address it computed. >> >>If your machine was an unpatched IIS server, it took command via the >>exploit. >> >>If your IIS server was in English, it replaced the pages going out. >> >>Then it DoS'ed ...91, which was one of the www.whitehouse.gov sites. >> >>In 7 days, it'll go to sleep. >> >>In 10days, someone will unleash it again. >> >>There will be fewer machines to take over. >> >>We'll still suffer the network overload. Cablemodems will crash, and >any >>number of other Internet machines that process HTTP GETs will crash. >> >>But if they change the payload, someone will just come up with another >>clever way to detour that payload. >> >>You're dealing with all the best minds of our great USA working >together. >>Certainly, someone has thought. >> >>And it's not over. We're still working on it. >> >>Jimmy Kuo >> >>-----Original Message----- >>From: Jimmy Sadri >>To: George Heuston >>Cc: 'crime@private' >>Sent: 7/21/01 4:04 PM >>Subject: Worm's Potential >> >> >> >> Has anyone thought of that whoever wrote this worm could have done >>much >>worse? Somehow I think that if someone where to take this code and >>change >>it so it affects all versions (Not just English) of MS IIS server and >>then >>attack a DNS name like www.microsoft.com or www.yahoo.com I think we'd >>be >>in big trouble... Since this worm only affected the English version of >>IIS >>that leaves the rest of the IIS servers out there in the world still >>potentially vulnerable. Like I said maybe whoever wrote this worm >>wanted >>to have a second shot at it by only infecting English version boxes he >>now >>only has to modify his code a little bit to have another shot this time >>fixing where he went wrong... attacking an IP address that can be >easily >>changed instead of attacking the name www.whitehouse.gov >> >>Just some food for thought... >> >> >>======================================================= >>Jimmy Sadri jimmys@private >>Network Engineer/ jimmys@private >>Security Consultant
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:23:59 PDT