Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: CodeGreen free? // Re: Re: AW: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

CodeGreen free? // Re: Re: AW: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

From: Steinhart Alexander <Steinhart_at_uni.de>
Date: Fri, 7 Sep 2001 16:48:05 +0200

> Von: Jonathan Rickman [mailto:jonathan_at_xcorps.net]
> Gesendet: Donnerstag, 6. September 2001 04:46
> An: Blue Boar
> Cc: vuln-dev_at_securityfocus.com
> Betreff: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
>
> Moderator: My webserver has logged CodeGreen hits, so I feel I have
the right to respond to this admittedly wasted thread.
> If nothing else...please afford me the opportunity to speak to the
world without resorting to strange GET requests in
> everyone's webserver logs.
>
>> Does anyone realize what a bad idea it is to release worms like this
>> in the first place, regardless of wheatehr or nto they mean well?
>
> Obviously not...
>
> 195.224.242.248 - - [04/Sep/2001:19:00:30 -0400] "GET
/default.ida?Code_Green_<I_like_the_colour-_-><AntiCo
> deRed-CodeRedIII-IDQ_Patcher>_V1.0_beta_written_by_'D
> er_HexXer'-Wuerzburg_Germany-_is_dedicated_to_my_sist
> erli_'Doro'.Save_Whale_and_visit_<www.buhaboard.de>_a
> nd_<www.buha-security.de>%u9090%u6858%ucbd3%u7801%u90
> 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9
> 090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u
> 00=a HTTP/1.0" 404 1442 "-" "-"
>
> Logs deliberately not sanitized...
> Thanks but no thanks 195.224.242.248, I don't need any help securing
this system. It is not now, nor was it ever, vulnerable to Code Red.

Can anybody confirm this? Has somebody logs, too?

> In cases where we have some pretty good statistics about the
propagation
> and saturation of a given worm, if you were going to write such a worm

> (and I'll leave that debate to others more versed in ethics and law
than myself),
> wouldn't it be the best idea to have it shut down (permanently) at
> SATURATION_TIME(target_worm)+a short time - so in this case, CodeGreen
should
> have been programmed to shut down no more than 6 days after infecting
a box.

I think the best idea, it participates to let stop the worm if it has
found x days nothing to patch and as
a security maybe one or two months after infecting a box.

> (and I'll leave that debate to others more versed in ethics and law
than myself)

That's no question, but if you read something like this... (sorry, it's
german)
http://groups.google.com/groups?hl=en&safe=off&th=41a4be0598ea4c6,18&see
km=3B7CDBB3.657BB0D9%40gft-solutions.de#p

> 4. Worm should send a message to admin.

And I think it's ineffectively to send emails and (broadcast) messages
to admin account accessible
from the infected box, with a worm that he is infected. ppl like this
one above has no patch, yet!
They have contributed with the increase of the CodeReds and now with the
increase from somewhat "harmless" would push them panic, surely...

regards,
Alexander Steinhart
Received on Sep 07 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos