Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: CodeRed Activity

Re: CodeRed Activity

From: Stuart Staniford <stuart_at_silicondefense.com>
Date: Wed, 01 Aug 2001 10:49:24 -0700

Ryan Russell wrote:

> I've caught 4 copies so far. All CRv2.

We have now analyzed a copy that we caught - it is also confirmed CRv2.
 
> We didn't reach saturation point last time, we hit the mode switch.

You are right. But looking at the growth curves, it was fairly close to
saturated by the time that happened.

This time the worm is not going to mode switch until the 20th. So it's going to
saturate and then all the infected hosts are going to sit and spray the Internet
with probes until they get fixed. Rebooting won't help much since it will only
be an hour or two until the host gets infected again.

Stuart. 

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart@silicondefense.com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Aug 01 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos