[21773] in bugtraq
Wide-scale Code Red Damage Assessment and Report
daemon@ATHENA.MIT.EDU (Jon O .)
Mon Jul 23 11:59:51 2001
Date: Sun, 22 Jul 2001 14:50:53 -0700
From: "Jon O ." <jono@microshaft.org>
To: bugtraq@securityfocus.com
Cc: incidents@securityfocus.com
Message-ID: <20010722145053.U86996@networkcommand.com>
Reply-To: "jono@networkcommand.com" <jono@microshaft.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="4T94Hejb80K+e1gX"
Content-Disposition: inline
In-Reply-To: <200107222020.f6MKKV528740@daffy.ee.lbl.gov>; from vern@ee.lbl.gov on Sun, Jul 22, 2001 at 01:20:31PM -0700
--4T94Hejb80K+e1gX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
During the infection phase of Code Red (on the 19th) we wrote a small tool
for research purposes.
This tool read in logs of machines sending the default.ida attack and conne=
cted
back to them on port 80, made a GET request and dumped the resulting data.=
=20
This tool was run continuously from 3 unique machines in different location=
s=20
around the internet, but all in the West Coast US. These "Reponse machines"=
=20
connected to over 40K machines over the course of the next 24 hours.=20
The goal is to research and gain statistics on what types of companies were=
=20
launching these attack on our servers.
Around 10:00 am PST we saw a sharp decrease in the succees of our connectio=
ns to
the attacking machines on port 80. Obiviously, this was probably the result
of administrators finding these machines compromised and attacking a phantom
www1.whitehouse.gov. Our port 80 connections to these machines steadily=20
decreased over the next 12 hours.
After dumping the index.html (or similar) pages from the attacking machines=
,=20
we began to analyize the data. We decided the only real good information=20
contained in this data was the time aspect mentioned above and the type of=
=20
website being served.=20
The time is of interest because it shows how quickly the infection was resp=
onded
to by engineers and administrators. Although, this data is far from scient=
ific
and admins could have patched their machines and had them back up when the=
=20
Response machines connected.=20
The other item of interest was the sites being served on these machines. We=
=20
are attempting to break the sites down into categories as follows:
=09
E-Commerce Site
General Website
Health Care providers
Government Agencies
Online Banking Institutions
We will publish this information to this list when complete. However, to pr=
otect
privacy of these sites, companies, etc. we are not planning on releasing na=
mes.
Also, there are some sites which appear to contain gateways to sensitive da=
ta.=20
We encourage the Responsible Parties of these machines to fix them in the=
=20
interest of protecting Patient, Government and private data. We also encour=
age=20
you to look through your logs in order to be more informed about these comp=
anies
who were attacking and their apparent disregard for simple security fixes =
such
as a patch. This disregard resulted in a massive about of DoS traffic to b=
e=20
transferred all over the internet. We can only hope to be so lucky next ti=
me.
--4T94Hejb80K+e1gX
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7W0q86nXMS6O+1XQRAgQ4AJ9XnCJHZ+PH28Y1ScQjMNj2palCVACgpCqS
xNjuvzK7QZ2utj1JEAQCqmA=
=HjMf
-----END PGP SIGNATURE-----
--4T94Hejb80K+e1gX--
