During the infection phase of Code Red (on the 19th) we wrote a small tool for research purposes. This tool read in logs of machines sending the default.ida attack and connected back to them on port 80, made a GET request and dumped the resulting data. This tool was run continuously from 3 unique machines in different locations around the internet, but all in the West Coast US. These "Reponse machines" connected to over 40K machines over the course of the next 24 hours. The goal is to research and gain statistics on what types of companies were launching these attack on our servers. Around 10:00 am PST we saw a sharp decrease in the succees of our connections to the attacking machines on port 80. Obiviously, this was probably the result of administrators finding these machines compromised and attacking a phantom www1.whitehouse.gov. Our port 80 connections to these machines steadily decreased over the next 12 hours. After dumping the index.html (or similar) pages from the attacking machines, we began to analyize the data. We decided the only real good information contained in this data was the time aspect mentioned above and the type of website being served. The time is of interest because it shows how quickly the infection was responded to by engineers and administrators. Although, this data is far from scientific and admins could have patched their machines and had them back up when the Response machines connected. The other item of interest was the sites being served on these machines. We are attempting to break the sites down into categories as follows: E-Commerce Site General Website Health Care providers Government Agencies Online Banking Institutions We will publish this information to this list when complete. However, to protect privacy of these sites, companies, etc. we are not planning on releasing names. Also, there are some sites which appear to contain gateways to sensitive data. We encourage the Responsible Parties of these machines to fix them in the interest of protecting Patient, Government and private data. We also encourage you to look through your logs in order to be more informed about these companies who were attacking and their apparent disregard for simple security fixes such as a patch. This disregard resulted in a massive about of DoS traffic to be transferred all over the internet. We can only hope to be so lucky next time.
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 08:48:46 PDT