Re: CodeRedII worm..

From: Emory Wood (maui12roat_private)
Date: Mon Aug 06 2001 - 02:09:22 PDT

Next message: Ralph Mellor: "Re: Method to Clean up IIS servers hit by CRv2"

Previous message: Mark Ng: "RE: disinfection tool"
In reply to: Valdis.Kletnieksat_private: "CodeRedII worm.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Seeing a lot of activity here in South Korea net, looks like their more
worried about the "Hi" virus that hit around the 24th of July to worry about
patching there IIS systems.  Getting on average about 30 to 45 hits on CRv2
an hour (1705 kst), granted thats down from about 55 to 65 at about (0800
kst).  Anyone have a good English speaking contact at Korea Network
Information Center (KNIR) tried to talk to one of the folks there but my
Korean is not that good.

----- Original Message -----
From: <Valdis.Kletnieksat_private>
To: <incidentsat_private>; <bugtraqat_private>
Sent: Sunday, August 05, 2001 5:38 PM
Subject: CodeRedII worm..


> (Sorry for the cross-posting)
>
> Given that initial analysis of the CodeRedII worm indicates that it leaves
> a backdoor laying around, I hereby request that those people who made
> lists of infected hosts available last time *NOT* do so again.
>
> Although said lists *were* helpful in the analysis and study of the worm's
> tactics, the benefits are certainly outweighted by the fact that the new
> worm creates a known backdoor.  I'm certain that both the CodeRedII author
> and other black hats would love for us to compile a list of afflicted
hosts
> for them to use.
>
> So please everybody - if you're sending IP's in to be added to a table,
> make sure you're sending them to a white hat, not to a black hat who's
> managed to social-engineer you.  If you're a white had compiling a list,
> make sure the guy's hat is at least a light grey before you give them
> a copy. ;)
>
> Valdis Kletnieks
> Operating Systems Analyst
> Virginia Tech
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ralph Mellor: "Re: Method to Clean up IIS servers hit by CRv2"
Previous message: Mark Ng: "RE: disinfection tool"
In reply to: Valdis.Kletnieksat_private: "CodeRedII worm.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:43:13 PDT