[40491] in North American Network Operators' Group
Re: Code Red 2 cleanup; reporting..
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Aug 10 03:34:34 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: Etaoin Shrdlu <shrdlu@deaddrop.org>
Cc: Nanog <nanog@merit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 10 Aug 2001 08:31:48 +0100
Message-Id: <20010810073148.9A55F7B4B@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <3B7360B4.71755CA7@deaddrop.org>, Etaoin Shrdlu writes:
>
>mike harrison wrote:
>>
>> > FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II
>> > probes from, and didn't get a shell prompt on any of them. Are people
>> > cleaning up their boxes that quickly?
>>
>> I have been told, but not personally conformed confirmed of non IIS
>> machines being infected with CodeRed (I or II not known, assume II).
>> Infection method: running an file from somewhere? They still scan out
>> and seek victims, just no webserver running.
>
>Spent nearly two days convincing someone who was managing a server that he
>was beating up machines all over the company. It finally took someone at
>close to VP level to get him to fix it. Last I heard, he was saying
>something on the phone like "Yes sir, you're right sir. Sorry sir." The
>thing that sucks is that he KNEW he couldn't be a problem, since he wasn't
>running IIS. I had the packet captures and obvious grabs for default.ida to
>prove it.
>
>Believe it. I have at least three verified, and that was using web server
>logs they'd hit, and ethereal running on the openbsd machine in my office,
>which sits right next to the local building router. [Yes, it's true. IRL, I
>work for Big Company X.]
So -- if he wasn't running IIS, what was he running?
--Steve Bellovin, http://www.research.att.com/~smb
