Helu,
Is there an effort abound that would allow for lists of verified 'Code
Red 2' infected hosts to be reported for cleanup/mitigation? By known 'Code
Red 2' infected hosts, I mean that root.exe has been found to exist on the
host.
Finding the contact information for a lot of these is proving difficult
being that a fair amount of the infected machines are Joe Blow broadband
customers.
Anyone?
.z
Is there an effort abound that would allow for lists of verified 'Code
Red 2' infected hosts to be reported for cleanup/mitigation?
By known 'Code
Red 2' infected hosts, I mean that root.exe has been found to exist on the
host.Finding the contact information for a lot of these is proving difficult
being that a fair amount of the infected machines are Joe Blow broadband
customers.
Publishing such lists is IMHO not a good idea, as these hosts are vulnerable and
publishing their addresses would only serve to let more crackers know where to
go..
<--( SNIP )-->
Helu,
Yes, I think that your observation is obvious.. publishing lists of
infected hosts is a bad idea. My question was asking if there was an
unofficial mitigation process to notify the end-use and/or the providers
involved for clean-up efforts.
I don't want lists of infected hosts nor do I want to publish lists
of infected hosts. Being that it is difficult to contact the end-user of
a lot of the infected hosts, is there a discrete process in place for
notifying the provider.. etc etc.
If nothing is in place, great, I'll just throw e-mails to the
end-users I can find and/or their respective NSP. If something is
in place.. either unofficial or special contacts at the NSPs, great, I'll
go that route.
.z
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II
probes from, and didn't get a shell prompt on any of them. Are people
cleaning up their boxes that quickly?
-C
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II
probes from, and didn't get a shell prompt on any of them. Are people
cleaning up their boxes that quickly?
I have been told, but not personally conformed confirmed of non IIS
machines being infected with CodeRed (I or II not known, assume II).
Infection method: running an file from somewhere? They still scan out
and seek victims, just no webserver running.
mike harrison wrote:
> FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II
> probes from, and didn't get a shell prompt on any of them. Are people
> cleaning up their boxes that quickly?I have been told, but not personally conformed confirmed of non IIS
machines being infected with CodeRed (I or II not known, assume II).
Infection method: running an file from somewhere? They still scan out
and seek victims, just no webserver running.
Spent nearly two days convincing someone who was managing a server that he
was beating up machines all over the company. It finally took someone at
close to VP level to get him to fix it. Last I heard, he was saying
something on the phone like "Yes sir, you're right sir. Sorry sir." The
thing that sucks is that he KNEW he couldn't be a problem, since he wasn't
running IIS. I had the packet captures and obvious grabs for default.ida to
prove it.
Believe it. I have at least three verified, and that was using web server
logs they'd hit, and ethereal running on the openbsd machine in my office,
which sits right next to the local building router. [Yes, it's true. IRL, I
work for Big Company X.]
No, sorry, lots of people are not cleaning up machines. I'm still being hit
at home by the same machines I got hit by when this first started, for the
most part. Sure, some of them are gone, but some are sure still here.
"Christopher A. Woodfield" wrote:
> FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red
II
> probes from, and didn't get a shell prompt on any of them. Are people
> cleaning up their boxes that quickly?
Did you telnet to port 80 and make a specific http GET request for the
root.exe? It isn't just sitting there in the open....
Another possibility if you actually did that and didn't get the shell is the
(unlikely) event that the admin actually had forethought to limit the ACL's
I have been told, but not personally conformed confirmed of non IIS
machines being infected with CodeRed (I or II not known, assume II).
Infection method: running an file from somewhere? They still scan out
and seek victims, just no webserver running.
I highly doubt this. The vulnerability is very specific to IIS servers, and
unless a new hybrid worm has been released, it's just not possible.
Also note that @Home is now blocking incoming port 80 connections. This will
prevent further infections inbound on their (residential) network, but does
nothing to prevent already compromised hosts from continuing to scan the
rest of the net. This is the most likely reason for seeing scans that don't
look like they are originating from IIS servers. The next most likely reason
is that the worm has totally hosed IIS.
Another possibility is having one public server connected to a LAN that then
infects everything else behind it's firewall.
At this point, you can't deduce necessarily deduce anything from an
inability to connect on port 80 to an infected host.
Mike
Spent nearly two days convincing someone who was managing a server that he
was beating up machines all over the company. It finally took someone at
Tonight, 20 minutes after openning up port 80
on a firewall to a server supposedly only running
the latest CITRIX on Port 80 (why 80? Don't ask me?)
and the high paid out of town consultants swearing they
had applied the appropriate patches and were safe,
they are now broadcasting out the latest CodeRed style worm.
I got some nice sniffit captures from my Linux firewall
though.. this morning will be interesting. I wonder
how they like their crow served.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Although @home maybe blocking incoming port 80 it is still allowing
those connections which originate inside it's network to proceed. In
the last few hours I have recieved numerous probes to port 80 on my
home machine which have originated from within the @home network. So
far all of the addresses have come from the Left Coast. While a few
have come from WA and OR, most have been from San Diego (I'm in
Orange County which is between San Diego and Los Angeles).
Obviously this does not bode well for Code Red II ending any time
soon since it is non-tech home users who are the least likely to
patch their systems (or even know about Code Red vX.
Maybe @home should limit outbound port 80 connections as well! 
Larry Diffey
- ----- Original Message -----
<--( SNIP )-->
Helu,
Yes, this has been my finding as well. Over a 72-hour period not a
single machine on my long list of Code Red 2 infected machines has been
patched ( meaning that root.exe exists and is GET'able ). Despite
someone declaring that Securityfocus stopped their reporting service, I
did forward on my list to them in the format they wanted for good measure.
I have heard that some of the broadband companies have started
filtering port 80 ingress, which seems like putting a Pooh Bear
bandaid(tm) over a punctured artery... but nonetheless. I have heard
from quite a few people using various broadband services, that the
performance degradation they are experiencing from the amount of
scanning being generated inside their networks is more than noticeable.
This brings up another good question: Shouldn't these NSPs identify
who these customers are, e-mail them and try to call them at home/work
with patch procedures.. and after a non-response perhaps pull the plug
entirely on the infected customer in question? I guess it would depend
on the numbers involved, but it seems to me that this would greatly
mitigate the performance degradation on their networks ( and others of
course ).
However, this brings up the issue of how the infected customer would
apply the patches in order to regain service. It would be quite costly
for the NSP to mail out CDs + instructions, and probably a waste of time (
people tend to throw CDs that come in the mail away without much thought
).
I think an interesting solution to this problem, no matter how
unethical would be to write a program that leverages the vulnerability to
patch the infected machine. In fact, it surprises me that this hasn't
been done.
Thoughts?
.z