Re: CodeRed

[Ryan Russell <ryan () securityfocus com>]

Yes, responding to my own post, I know (actually, I left incidents on the
post below by mistake...)

As several people have pointed out, the person who made the 1.17M claim
later revised it to "only" about 200K or so.  And that's just him.  I have
no real difficulty believing that we've in the 100's of thousands
neighborhood at this point.

This is the most "successful" worm I've ever seen.  Parts of the code are
damn clever as well (take a real close look at how it "hacks" the web
pages.)

The worm would also be dead simply to modify, as well.  All that you would
need for simple mods is a hex editor.  I'm pretty sure we'll see copycats
in the next few days.

Things could get pretty bad in the short term.

                                        Ryan

On Thu, 19 Jul 2001, Ryan Russell wrote:

> I'm a bit stunned at the moment by a note to Bugtraq from a guy at LBL who
> claims that 1.17 Million different IP addresses have tried his address
> space, meaning that at least that many different IIS boxes have been
> nailed.  I'm rather amazed.



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com