On Thu, Aug 02, 2001 at 02:22:00PM -0700, Jimmy Sadri wrote: > > > As I was sitting here filtering out all the "Code Red" hits on my IDS's > and Firewall's a thought occurred to me... This could be a hackers > delight... in the sense that all a hacker has to do is sit back and wait > for the "Code Red" hits to show up in his logs. He then has a potential > list of targets which are known to be vulnerable. No searching > required. Using the code provided by that Japanse dude "Speed > Junkie" they could easily go through on each of these boxes as they appear > in the logs. The user will assume (if they ever figure it out) that it > was just the "Code Red" worm... But my point all these boxes infected by > the are simply becon's saying "Come hack me! and here's my IP so you don't > have to search for me" > > Hmmmm hope for everyone's (everyone meaning IIS users) sake that I am the > only one to think of this. That was one of the original finders comments about the worm. Due to the way the ip addresses are generated, you could sit on a box and watch all of the cracked machine "phone home" to you if you had an ip address in a specific range. greg k-h
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:06 PDT