> Von: Jonathan Rickman [mailto:jonathanat_private] > Gesendet: Donnerstag, 6. September 2001 04:46 > An: Blue Boar > Cc: vuln-devat_private > Betreff: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) > > Moderator: My webserver has logged CodeGreen hits, so I feel I have the right to respond to this admittedly wasted thread. > If nothing else...please afford me the opportunity to speak to the world without resorting to strange GET requests in > everyone's webserver logs. > >> Does anyone realize what a bad idea it is to release worms like this >> in the first place, regardless of wheatehr or nto they mean well? > > Obviously not... > > 195.224.242.248 - - [04/Sep/2001:19:00:30 -0400] "GET /default.ida?Code_Green_<I_like_the_colour-_-><AntiCo > deRed-CodeRedIII-IDQ_Patcher>_V1.0_beta_written_by_'D > er_HexXer'-Wuerzburg_Germany-_is_dedicated_to_my_sist > erli_'Doro'.Save_Whale_and_visit_<www.buhaboard.de>_a > nd_<www.buha-security.de>%u9090%u6858%ucbd3%u7801%u90 > 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9 > 090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u > 00=a HTTP/1.0" 404 1442 "-" "-" > > Logs deliberately not sanitized... > Thanks but no thanks 195.224.242.248, I don't need any help securing this system. It is not now, nor was it ever, vulnerable to Code Red. Can anybody confirm this? Has somebody logs, too? > In cases where we have some pretty good statistics about the propagation > and saturation of a given worm, if you were going to write such a worm > (and I'll leave that debate to others more versed in ethics and law than myself), > wouldn't it be the best idea to have it shut down (permanently) at > SATURATION_TIME(target_worm)+a short time - so in this case, CodeGreen should > have been programmed to shut down no more than 6 days after infecting a box. I think the best idea, it participates to let stop the worm if it has found x days nothing to patch and as a security maybe one or two months after infecting a box. > (and I'll leave that debate to others more versed in ethics and law than myself) That's no question, but if you read something like this... (sorry, it's german) http://groups.google.com/groups?hl=en&safe=off&th=41a4be0598ea4c6,18&see km=3B7CDBB3.657BB0D9%40gft-solutions.de#p > 4. Worm should send a message to admin. And I think it's ineffectively to send emails and (broadcast) messages to admin account accessible from the infected box, with a worm that he is infected. ppl like this one above has no patch, yet! They have contributed with the increase of the CodeReds and now with the increase from somewhat "harmless" would push them panic, surely... regards, Alexander Steinhart
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 11:30:02 PDT