[39698] in North American Network Operators' Group
RE: Code Red : Any whitehouse.gov people around?
daemon@ATHENA.MIT.EDU (Dave Stewart)
Fri Jul 20 11:41:16 2001
Message-Id: <5.1.0.14.2.20010720112904.04fcc990@mail.ntrnet.net>
Date: Fri, 20 Jul 2001 11:39:47 -0400
To: <nanog@merit.edu>
From: Dave Stewart <dbs@ntrnet.net>
In-Reply-To: <1A093F9F32931249BF1EAD26C7280F5ADA098D@fnexchange3.corp.fa
st.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 10:04 AM 7/20/2001, Mike Najarian wrote:
>Has anyone gutted an infected box to determine whether it's going to go for
> whitehouse.gov
> www.whitehouse.gov
>or a hardcoded IP?
While there's incomplete information available in the standard places, it
appears to be a hardcoded IP.
I, along with many others, have null routed it.... Symantec's site claims
the IP address is no longer active at any rate.
It *appears* that from xx-20-xxxx through xx-28-xxxx, this thing will
attack that IP address... meaning that measures already in place will
minimize damage from the portion of the code that attempts to flood
198.137.240.91. Networks where 198.137.240.91 isn't blocked could see
network congestion, I suppose, if they host a large number of infected
machines.
I've seen a claim that if the date is greater than 28, the threads just go
into an infinite sleep.
From what I can see, I would expect another round of probes to take place
starting on 01-August-2001...
