RE: CodeRed

From: Fulton L. Preston Jr. (fultonat_private)
Date: Thu Jul 19 2001 - 20:25:22 PDT

  • Next message: Stuart Staniford: "Re: .ida Intrusion Attempt"

    The actual number of 1.17 million was a mistake.  The author posted a
    corrected figure:
    
    <Original message>
    Damn, serious methodology error in crunching that.  The correct
    figure is (I now believe :-) 293,000.
    
    		Vern
    </message>
    
    
    -----Original Message-----
    From: Ryan Russell [mailto:ryanat_private]
    Sent: Thursday, July 19, 2001 9:09 PM
    To: Dave Laird
    Cc: incidentsat_private
    Subject: Re: CodeRed 
    
    
    Glad your machine wasn't hit.
    
    I'm a bit stunned at the moment by a note to Bugtraq from a guy at LBL
    who
    claims that 1.17 Million different IP addresses have tried his address
    space, meaning that at least that many different IIS boxes have been
    nailed.  I'm rather amazed.
    
    				Ryan
    
    On Thu, 19 Jul 2001, Dave Laird wrote:
    
    > Good evening, Ryan...
    >
    > On Thu, 19 Jul 2001, Ryan Russell wrote:
    >
    > > You've got the evidence of an attempt (actually, you've probably had
    > > plenty of attempts) but there is 0 chance that this worm will work
    on
    > > Apache on Linux as-is.  Apache responded with a 404, as it should.
    The
    > > worm uses Windows system calls, and takes advantage of a hole that
    only
    > > exists on IIS.  You needn't be concerned.
    >
    > WHEW! While I'm not particularly a newbie, nonetheless when I saw the
    > attempts in my log file, I nearly had a cow in full-blown panic mode.
    > However, what truly set me back on my heels is that, in investigating
    > several of my associates who *do* run IIS, I discovered *most* of them
    are
    > already infected or have already installed the "patch". This is not
    good at
    > all. I was frankly *stunned* by the potential this worm has to damage
    if not
    > entirely nullify IIS Web Servers everywhere in the world.
    >
    > My extreme thanks to everyone on this list for bringing it to my
    attention.
    > Now I can slip back into relative obscurity, uh... right? 8-)
    >
    > Dave
    > --
    > Dave Laird (dlairdat_private)
    > The Used Kharma Lot
    > Web Page:   http://www.kharma.net updated 07/17/2001
    > Musicians' Calendar: http://www.kharma.net/calendar.html
    > Usenet news server : news://news.kharma.net
    >
    >  Fortune Cookie:
    > I must have slipped a disk -- my pack hurts!
    >
    >
    
    
    
    ------------------------------------------------------------------------
    ----
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 23:44:13 PDT