North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Was: Code Red 2 cleanup -- SHOULD NSPs PULL THE PLUG? Solutions?
On Thu, 9 Aug 2001, Etaoin Shrdlu wrote: > No, sorry, lots of people are not cleaning up machines. I'm still being hit > at home by the same machines I got hit by when this first started, for the > most part. Sure, some of them are gone, but some are sure still here. > <--( SNIP )--> Helu, Yes, this has been my finding as well. Over a 72-hour period not a single machine on my long list of Code Red 2 infected machines has been patched ( meaning that root.exe exists and is GET'able ). Despite someone declaring that Securityfocus stopped their reporting service, I did forward on my list to them in the format they wanted for good measure. I have heard that some of the broadband companies have started filtering port 80 ingress, which seems like putting a Pooh Bear bandaid(tm) over a punctured artery... but nonetheless. I have heard from quite a few people using various broadband services, that the performance degradation they are experiencing from the amount of scanning being generated inside their networks is more than noticeable. This brings up another good question: Shouldn't these NSPs identify who these customers are, e-mail them and try to call them at home/work with patch procedures.. and after a non-response perhaps pull the plug entirely on the infected customer in question? I guess it would depend on the numbers involved, but it seems to me that this would greatly mitigate the performance degradation on their networks ( and others of course ). However, this brings up the issue of how the infected customer would apply the patches in order to regain service. It would be quite costly for the NSP to mail out CDs + instructions, and probably a waste of time ( people tend to throw CDs that come in the mail away without much thought ). I think an interesting solution to this problem, no matter how unethical would be to write a program that leverages the vulnerability to patch the infected machine. In fact, it surprises me that this hasn't been done. Thoughts? .z