REMOVE

From: Flagler, Brian (brianflagler@private)
Date: Thu Aug 02 2001 - 15:54:43 PDT

  • Next message: George Heuston: "FW: NIPC Daily Report 3 August 01"

    Please remove my address from the listserv.
    
    -----Original Message-----
    From: Greg KH [mailto:greg@private]
    Sent: Thursday, August 02, 2001 3:18 PM
    To: Jimmy Sadri
    Cc: 'crime@private'
    Subject: Re: Hacker Delight
    
    
    On Thu, Aug 02, 2001 at 02:22:00PM -0700, Jimmy Sadri wrote:
    > 
    > 
    >   As I was sitting here filtering out all the "Code Red" hits on my IDS's
    > and Firewall's a thought occurred to me... This could be a hackers
    > delight... in the sense that all a hacker has to do is sit back and wait
    > for the "Code Red" hits to show up in his logs.  He then has a potential
    > list of targets which are known to be vulnerable.  No searching
    > required.  Using the code provided by that Japanse dude "Speed
    > Junkie" they could easily go through on each of these boxes as they appear
    > in the logs.  The user will assume (if they ever figure it out) that it
    > was just the "Code Red" worm...  But my point all these boxes infected by
    > the are simply becon's saying "Come hack me! and here's my IP so you don't
    > have to search for me"
    > 
    > Hmmmm hope for everyone's (everyone meaning IIS users) sake that I am the
    > only one to think of this.
    
    That was one of the original finders comments about the worm.  Due to
    the way the ip addresses are generated, you could sit on a box and watch
    all of the cracked machine "phone home" to you if you had an ip address
    in a specific range.
    
    greg k-h
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:07 PDT