[40258] in North American Network Operators' Group
This new CodeRedII is moving way faster than the previous
daemon@ATHENA.MIT.EDU (Chris Grout)
Sun Aug 5 03:51:34 2001
Date: Sun, 05 Aug 2001 00:51:46 -0700
From: "Chris Grout" <CGrout@chrisgrout.com>
To: nanog@merit.edu
X-MDaemon-Deliver-To: nanog@merit.edu
Message-Id: <20010805075102.8D5495DD91@segue.merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
This thing is hitting hard! I got bored and thought I'd through some
stats/info together...
So far, since 9:16am on 7/19, I've seen 485 CRv1 attacks from 257 unique
IPs on my cable modem.
Since 6:49am today, I've been hit 472 times from 133 unique IPs with this
new "CRv2" worm.
- All infected systems seem to try each scanned IP twice whereas the
original only tried once, which probably will help its infection rate.
Seems odd though as both tries use the same source port. Could just be
my snort rules...
- It has the word "CodeRedII" hard coded in the packet, so its obviously
a copycat or at least a fairly recent revision.
- *Appears* to be hardcoded to use the d:\inetpub\scripts and d:\progra~1
\common~1\system\MSADC directories. Assuming you are not using this
path, are you still vulnerable?
- Either copies cmd.exe or creates a new file named root.exe in those
directories.
- I'm seeing almost only cable modem systems now. Appears businesses
may have finally gotten their acts together.
chris
