North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Code Red 2 cleanup; reporting..

  • From: Steven M. Bellovin
  • Date: Fri Aug 10 03:33:57 2001

In message <3B7360B4.71755CA7@deaddrop.org>, Etaoin Shrdlu writes:
>
>mike harrison wrote:
>> 
>> > FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II
>> > probes from, and didn't get a shell prompt on any of them. Are people
>> > cleaning up their boxes that quickly?
>> 
>> I have been told, but not personally conformed confirmed of non IIS
>> machines being infected with CodeRed (I or II not known, assume II).
>> Infection method: running an file from somewhere? They still scan out
>> and seek victims, just no webserver running.
>
>Spent nearly two days convincing someone who was managing a server that he
>was beating up machines all over the company. It finally took someone at
>close to VP level to get him to fix it. Last I heard, he was saying
>something on the phone like "Yes sir, you're right sir. Sorry sir." The
>thing that sucks is that he KNEW he couldn't be a problem, since he wasn't
>running IIS. I had the packet captures and obvious grabs for default.ida to
>prove it.
>
>Believe it. I have at least three verified, and that was using web server
>logs they'd hit, and ethereal running on the openbsd machine in my office,
>which sits right next to the local building router. [Yes, it's true. IRL, I
>work for Big Company X.]

So -- if he wasn't running IIS, what was he running?

		--Steve Bellovin, http://www.research.att.com/~smb