Code Red round two

So what, if anything, are people planning to do differently as 8 pm EDT today and the possibility of a new round of Code Red Worm activity approaches? Are there things that we as network operators can and should be doing beyond encouraging end users to patch their vulnerable systems?


as a non-iis user i will probably watch the graphs of infected hosts
whilst chuckling to myself

but i've already sent security bulletins to all customers when the worm
was disassembled and its potential known.. hasnt everyone??? (duh if not!)


PS Do people write vulnerabilities into servers in order to justify the
jobs of security people or are they just bad at what they do?

You can scan your network(s) for machines that are vulnerable, and patch them. Or contact the end users and require that they patch them.... if they aren't patched by 7:45pm or so, you can block port 80 access to those machines until they are patched.

OK, but even if we get every one of the vulnerable systems on our own and our customer's networks patched, we will still be subject to probes from infected systems elsewhere. In the last go round ten or eleven days ago it was the probes of unused IP addresses more than infected systems on our network that seemed to cause problems. So while we will continue to be good network citizens and work to get systems on our network patched, we will continue to see problems as long as there are "enough" unpatched systems out there to cause problems. I suspect that that is weeks or even months in the future.

Attached is a long message that was sent out to Merit's customers this morning talking about our plans. No need to read it if you don't want to.