Code Red : Any whitehouse.gov people around?

Jasper_Wallace · July 19, 2001, 11:41pm

According to a recent post on bugtraq the worm is going to switch from
infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so.

Now i'm not certain if the worm has a hardcoded ip to attack or will do a
DNS lookup for whitehouse.gov, but if it is going to do a dns lookup then
they've still got a chance to change the A records in their dns records to
something else, like 127.0.0.1.

Unfortunatly this will make it hard for people to track down and fix
infected boxes, so if they could use an ip in a non-routable block,
that's unlickley to be used for anything else, e.g. 192.0.2.1, which in
on the 'TEST-NET', or possible on 192.0.0.1, which is on the range HP
use for printer auto configuration (they only use 192.0.0.192).

The TTL on the A RR for whitehouse.gov is 24 hours unfortunatly.

Sabri_Berisha1 · July 20, 2001, 12:52pm

Knowing that some of the colocated boxes in our network *might* be
infected; I have placed a nullroute for 198.137.240.92 (the IP
www.whitehouse.gov resolves to).

Just a thought.

Etaoin_Shrdlu · July 20, 2001, 2:09pm

Sabri Berisha wrote:

> According to a recent post on bugtraq the worm is going to switch from
> infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so.

Knowing that some of the colocated boxes in our network *might* be
infected; I have placed a nullroute for 198.137.240.92 (the IP
www.whitehouse.gov resolves to).

Wrong IP to blackhole. Oops. I've copied the bugtraq post below for
those of who are not subscribed, who might have missed it, or are
overwhelmed.