North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Code Red 2 cleanup; reporting..
In message <3B7360B4.71755CA7@deaddrop.org>, Etaoin Shrdlu writes: > >mike harrison wrote: >> >> > FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II >> > probes from, and didn't get a shell prompt on any of them. Are people >> > cleaning up their boxes that quickly? >> >> I have been told, but not personally conformed confirmed of non IIS >> machines being infected with CodeRed (I or II not known, assume II). >> Infection method: running an file from somewhere? They still scan out >> and seek victims, just no webserver running. > >Spent nearly two days convincing someone who was managing a server that he >was beating up machines all over the company. It finally took someone at >close to VP level to get him to fix it. Last I heard, he was saying >something on the phone like "Yes sir, you're right sir. Sorry sir." The >thing that sucks is that he KNEW he couldn't be a problem, since he wasn't >running IIS. I had the packet captures and obvious grabs for default.ida to >prove it. > >Believe it. I have at least three verified, and that was using web server >logs they'd hit, and ethereal running on the openbsd machine in my office, >which sits right next to the local building router. [Yes, it's true. IRL, I >work for Big Company X.] So -- if he wasn't running IIS, what was he running? --Steve Bellovin, http://www.research.att.com/~smb