This assumes that the source IP that shows up in your weblogs is the IP address of an infected IIS server. This is not necessarily the case as this IP could also be a proxy server or NAT address that the infected IIS server uses when making outbound internet requests. FWIW, I just did a quick survey of our "Code Red" hits and was unable to find webservers running on any of these source IP's. -----Original Message----- From: Jimmy Sadri [mailto:jimmys@private] Sent: Thursday, August 02, 2001 2:22 PM To: 'crime@private' Subject: Hacker Delight As I was sitting here filtering out all the "Code Red" hits on my IDS's and Firewall's a thought occurred to me... This could be a hackers delight... in the sense that all a hacker has to do is sit back and wait for the "Code Red" hits to show up in his logs. He then has a potential list of targets which are known to be vulnerable. No searching required. Using the code provided by that Japanse dude "Speed Junkie" they could easily go through on each of these boxes as they appear in the logs. The user will assume (if they ever figure it out) that it was just the "Code Red" worm... But my point all these boxes infected by the are simply becon's saying "Come hack me! and here's my IP so you don't have to search for me" Hmmmm hope for everyone's (everyone meaning IIS users) sake that I am the only one to think of this. ======================================================= Jimmy Sadri jimmys@private Network Engineer/ jimmys@private Security Consultant
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:06 PDT