Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Code Red, anyone?

Re: Code Red, anyone?

From: Joseph Nicholas Yarbrough <nyarbrough_at_lurhq.com>
Date: Wed, 1 Aug 2001 05:43:07 -0400

On Tuesday 31 July 2001 21:31, Alfred Huger wrote:
> Anyone seeing Code Red activity yet?

When I came in tonight at 1 am I was told that there was no code red activity
seen all night. Now (5:14EDT) I'm seeing dozens of connects per minute. If it
grows at the rate it had previously, we are possibly looking at an another
serious problem. Since the end of the last batch of scanning, I'm sure many
infected hosts were rebooted because of crashing or some other reason
(installing software/changing IPs/etc). After reboot they are no longer
infected (because the virus wasn't spreading). Now that these systems, and
possibly others that weren't infected the first time around, are getting
infected and starting to scan. Chances are, anyone who hasn't applied the
patch by now isn't going to. As another list went over, some vendors won't
support thier product if you apply patches to the system that are not from
them (I believe it was some web-banking software on IIS that was specifically
mentioned). I don't take a dooms day attitute with Code Red, but it's clear
it's going to continue to create problems to some degree.

My company monitors many class C and B networks' firewall logs/IDS/network
appliance reports/etc. We only monitor a tiny chunk of the internet as a
whole. However, if I see this just on our clients' networks then the rest of
the world has to be seeing it.

Remember, it took several days last time before it got big. This time there
are less systems for it to infect, but it has a bigger base number from which
to spread. Without hard numbers, it's impossible to come up with even a guess
at what the spread rate will be. Lets hope all the organizations who repost
advisories as if they had anything to do with the discovery actually got
threw to some people.

Remember, the problem is people who have to hear about available patches to
serious security problems on thier local news. Perhaps if major news networks
and the AP would run a story on system/network admins that don't subscribe to
security mailing lists we wouldn't have had such a problem.

No flames were intended in this message. Don't misinterpret it that way and
counterflame. 

-- 
Joseph Nicholas Yarbrough
Information Security Analyst
LURHQ Corporation
***NOTE***
These words and thoughts are my own, not my companies.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Aug 01 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos