[39724] in North American Network Operators' Group
Re: Code Red on dial-in ppp
daemon@ATHENA.MIT.EDU (Jason A. Mills)
Sat Jul 21 12:28:44 2001
Date: Sat, 21 Jul 2001 09:28:08 -0700 (PDT)
From: "Jason A. Mills" <phyxis@rottweiler.org>
To: Mitch Halmu <mitch@netside.net>
Cc: nanog@merit.edu
In-Reply-To: <Pine.SOL.3.91.1010721095950.2647s-100000@sunny.netside.net>
Message-ID: <Pine.BSF.4.21.0107210926250.22854-100000@shell3.ba.best.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
I'm not sure I see why a POTS PPP link, or some other slow(er) on demand
link might stop CodeRed. The first-pass payload is under 4096 bytes
including framing, not exactly something you need a lot of low-latency
bandwidth to push through. :-/
-J
On Sat, 21 Jul 2001, Mitch Halmu wrote:
>
> You may have received the following from codered@securityfocus.com
>
> This mail is from the ARIS Analyzer Service (Attack Registry and
> Intelligence Service) from SecurityFocus. It has come to our attention
> that your system(s), listed below have been identified as being
> compromised by the Code Red Worm. The Code Red Worm is rapidly
> spreading across the Internet, compromising vulnerable Windows NT IIS
> servers.
>
> The addresses identified as belonging to you are as follows:
>
> [ dynamic dial-in ip ]
> [ dynamic dial-in ip ]
>
> [snip]
>
> This makes me think that the worm is capable to infect not only
> dedicated web servers, but also dial-in customers running ppp that
> happen to be online when the attack occurs. NetSide is an all Sun
> sparc shop and we don't have any Windows based machines, but I can see
> this worm being alive and spreading for a long time if dial-in users
> are affected.
>
> Unfortunately, they don't provide a date and time stamp, so
> identifying the actual user is not possible. I can provide web server
> log extracts to whomever collects/analyzes such information (John O.,
> sorry but you're bouncing my email - get rid of MAPS).
>
> --Mitch
> NetSide
Jason A. Mills phyxis@rottweiler.org
----------------------------------------------
"La morale est la faiblesse de la cervelle."
Arthur Rimbaud --- Une Saison en Enfer
