Re: Hacker Delight

From: Greg KH (greg@private)
Date: Thu Aug 02 2001 - 15:18:11 PDT

  • Next message: Flagler, Brian: "REMOVE"

    On Thu, Aug 02, 2001 at 02:22:00PM -0700, Jimmy Sadri wrote:
    > 
    > 
    >   As I was sitting here filtering out all the "Code Red" hits on my IDS's
    > and Firewall's a thought occurred to me... This could be a hackers
    > delight... in the sense that all a hacker has to do is sit back and wait
    > for the "Code Red" hits to show up in his logs.  He then has a potential
    > list of targets which are known to be vulnerable.  No searching
    > required.  Using the code provided by that Japanse dude "Speed
    > Junkie" they could easily go through on each of these boxes as they appear
    > in the logs.  The user will assume (if they ever figure it out) that it
    > was just the "Code Red" worm...  But my point all these boxes infected by
    > the are simply becon's saying "Come hack me! and here's my IP so you don't
    > have to search for me"
    > 
    > Hmmmm hope for everyone's (everyone meaning IIS users) sake that I am the
    > only one to think of this.
    
    That was one of the original finders comments about the worm.  Due to
    the way the ip addresses are generated, you could sit on a box and watch
    all of the cracked machine "phone home" to you if you had an ip address
    in a specific range.
    
    greg k-h
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:06 PDT