[40259] in North American Network Operators' Group
CodeRedII worm..
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sun Aug 5 04:28:58 2001
Message-Id: <200108050828.f758SRv10569@foo-bar-baz.cc.vt.edu>
To: nanog@merit.edu, bugtraq@merit.edu, incidents@merit.edu
From: Valdis.Kletnieks@vt.edu
Date: Sun, 05 Aug 2001 04:28:27 -0400
Errors-To: owner-nanog-outgoing@merit.edu
Given that initial analysis of the CodeRedII worm indicates that it leaves
a backdoor laying around, I hereby request that those people who made
lists of infected hosts available last time *NOT* do so again.
Although said lists *were* helpful in the analysis and study of the worm's
tactics, the benefits are certainly outweighted by the fact that the new
worm creates a known backdoor. I'm certain that both the CodeRedII author
and other black hats would love for us to compile a list of afflicted hosts
for them to use.
So please everybody - if you're sending IP's in to be added to a table,
make sure you're sending them to a white hat, not to a black hat who's
managed to social-engineer you. If you're a white had compiling a list,
make sure the guy's hat is at least a light grey before you give them
a copy. ;)
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
