[40490] in North American Network Operators' Group
Re: Code Red 2 cleanup; reporting..
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Aug 10 03:30:35 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: mike harrison <meuon@highertech.net>
Cc: Etaoin Shrdlu <shrdlu@deaddrop.org>, Nanog <nanog@merit.edu>,
nbuck@chatt.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 10 Aug 2001 08:29:49 +0100
Message-Id: <20010810072949.B64DD7B4B@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <Pine.LNX.4.10.10108100034440.14898-100000@home.highertech.net>, mik
e harrison writes:
>
>> Spent nearly two days convincing someone who was managing a server that he
>> was beating up machines all over the company. It finally took someone at
>
>Tonight, 20 minutes after openning up port 80
>on a firewall to a server supposedly only running
>the latest CITRIX on Port 80 (why 80? Don't ask me?)
>and the high paid out of town consultants swearing they
>had applied the appropriate patches and were safe,
>they are now broadcasting out the latest CodeRed style worm.
>
>I got some nice sniffit captures from my Linux firewall
>though.. this morning will be interesting. I wonder
>how they like their crow served.
>
>
>
>
I've seen a report that the patch is not fully effective -- see
http://archives.neohapsis.com/archives/incidents/2001-08/0218.html.
That was on incidents.org last night, but it's gone this morning, so
maybe that claim isn't accurate.
--Steve Bellovin, http://www.research.att.com/~smb
