Wide-scale Code Red Damage Assessment and Report

From: Jon O . (jonoat_private)
Date: Sun Jul 22 2001 - 14:50:53 PDT

  • Next message: Alvin Oga: "Re: Guess this is a hack attemp"

    During the infection phase of Code Red (on the 19th) we wrote a small tool
    for research purposes.
    
    This tool read in logs of machines sending the default.ida attack and connected
     back to them on port 80, made a GET request and dumped the resulting data. 
    
    This tool was run continuously from 3 unique machines in different locations 
    around the internet, but all in the West Coast US. These "Reponse machines" 
    connected to over 40K machines over the course of the next 24 hours. 
    
    The goal is to research and gain statistics on what types of companies were 
    launching these attack on our servers.
    
    Around 10:00 am PST we saw a sharp decrease in the succees of our connections to
    the attacking machines on port 80. Obiviously, this was probably the result
    of administrators finding these machines compromised and attacking a phantom
    www1.whitehouse.gov. Our port 80 connections to these machines steadily 
    decreased over the next 12 hours.
    
    After dumping the index.html (or similar) pages from the attacking machines, 
    we began to analyize the data. We decided the only real good information 
    contained in this data was the time aspect mentioned above and the type of 
    website being served. 
    
    The time is of interest because it shows how quickly the infection was responded
     to by engineers and administrators. Although, this data is far from scientific
     and admins could have patched their machines and had them back up when the 
    Response machines connected. 
    
    The other item of interest was the sites being served on these machines. We 
    are attempting to break the sites down into categories as follows:
    	
    	E-Commerce Site
    	General Website
    	Health Care providers
    	Government Agencies
    	Online Banking Institutions
    
    We will publish this information to this list when complete. However, to protect
    privacy of these sites, companies, etc. we are not planning on releasing names.
    
    Also, there are some sites which appear to contain gateways to sensitive data. 
    We encourage the Responsible Parties of these machines to fix them in the 
    interest of protecting Patient, Government and private data. We also encourage 
    you to look through your logs in order to be more informed about these companies
     who were attacking and their apparent disregard for simple security fixes such
     as a patch. This disregard resulted in a massive about of DoS traffic to be 
    transferred all over the internet.  We can only hope to be so lucky next time.
    
    
    



    This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 17:38:23 PDT