On Mon, 6 Aug 2001, Chris Niekel wrote: >On Sun, Aug 05, 2001 at 07:02:35PM -0600, John Galt wrote: >> [...] >> CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a >> pseudo-r00tkit. If the IIS admins didn't learn the first time, they got >> screwed hardcore the second. Not even a reacharound this time. > >I get hit every 2 minutes. And apparently lots of computers are now >advertising that they can be remotely controlled. Wouldn't it be nice if >there were some 'hack' to send to such a server so that it gets fixed. >I've got a list of hundreds of ip's of IIS-servers almost begging for an >antidote!
Telnet to port 80 of the affected server. You'll get a rootshell, add the file C:\noworm. This will (hopefully, I'm using CR's fix on CR2's rootshell) prevent it from broadcasting all the junk. >My stats for today (20 hours): 601 CodeRed2's, 8 CodeRed1's. With my >cablemodem it looks like my whole country is infected. Although it's >only 268 unique ip's. CodeRed2 attempts to spread a lot more than 1. CR2 is actually seeming to have a twist in it's IP picker that weights it to the subnets where cable/dsl users are the rule. >Well, better start ignoring the output. > >Greetings, > Chris Niekel > > -- Sacred cows make the best burgers Who is John Galt? [EMAIL PROTECTED], that's who!!!