Re: Re: CODE RED protection ! ! ! [7:15989]
my company just got hit by code red last week. the only logical thing to deploy on your routers is to block all access to port 80 in and out of all the interfaces by ACL. Unless you have the luxury of running IOS 12.1 and above on all your routers, you will not be able to use NBAR. Deployed the ACLs onto all interfaces to control all port 80 traffic. Use ip route-cache flow and show ip cache flow on your interfaces to detect the IP addresses that are propagating http traffic to port 80. You will have to look out for port 0050 under destination port when you perform a show ip cache flow. Cheers. - Original Message - From: Dennis Bailey To: [EMAIL PROTECTED] Sent: Tue, 14 Aug 2001 15:34:19 -0400 Subject: Re: CODE RED protection ! ! ! [7:15989] Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16140t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re: CODE RED protection ! ! ! [7:15989]
have your check this link http://www.cisco.com/warp/public/63/ts_codred_worm.shtml Thanks Erwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 15, 2001 3:06 PM To: [EMAIL PROTECTED] Subject: Re: Re: CODE RED protection ! ! ! [7:15989] my company just got hit by code red last week. the only logical thing to deploy on your routers is to block all access to port 80 in and out of all the interfaces by ACL. Unless you have the luxury of running IOS 12.1 and above on all your routers, you will not be able to use NBAR. Deployed the ACLs onto all interfaces to control all port 80 traffic. Use ip route-cache flow and show ip cache flow on your interfaces to detect the IP addresses that are propagating http traffic to port 80. You will have to look out for port 0050 under destination port when you perform a show ip cache flow. Cheers. - Original Message - From: Dennis Bailey To: [EMAIL PROTECTED] Sent: Tue, 14 Aug 2001 15:34:19 -0400 Subject: Re: CODE RED protection ! ! ! [7:15989] Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16142t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: CODE RED protection ! ! ! [7:15989]
Hi The problem is that I do have web servers on my network, blocking port 80 would stop these web servers . Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... my company just got hit by code red last week. the only logical thing to deploy on your routers is to block all access to port 80 in and out of all the interfaces by ACL. Unless you have the luxury of running IOS 12.1 and above on all your routers, you will not be able to use NBAR. Deployed the ACLs onto all interfaces to control all port 80 traffic. Use ip route-cache flow and show ip cache flow on your interfaces to detect the IP addresses that are propagating http traffic to port 80. You will have to look out for port 0050 under destination port when you perform a show ip cache flow. Cheers. - Original Message - From: Dennis Bailey To: [EMAIL PROTECTED] Sent: Tue, 14 Aug 2001 15:34:19 -0400 Subject: Re: CODE RED protection ! ! ! [7:15989] Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16145t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re: CODE RED protection ! ! ! [7:15989]
Maybe Im mistaken on this, Correct me if im wrong, But isn't the code red worm exploiting a buffer overflow on MS Index server and from there infecting IIS. Shouldn't disabling MS Index Server resolve this ??? or remove the potential problem by removing the offending ISAPI filters, or even better Patch it with the hotfixs available and scan you network with the code red scanner regularly to ensure the problem has actually been addressed. D -Original Message- From: Hamid [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 15, 2001 10:37 AM To: [EMAIL PROTECTED] Subject: Re: Re: CODE RED protection ! ! ! [7:15989] Hi The problem is that I do have web servers on my network, blocking port 80 would stop these web servers . Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... my company just got hit by code red last week. the only logical thing to deploy on your routers is to block all access to port 80 in and out of all the interfaces by ACL. Unless you have the luxury of running IOS 12.1 and above on all your routers, you will not be able to use NBAR. Deployed the ACLs onto all interfaces to control all port 80 traffic. Use ip route-cache flow and show ip cache flow on your interfaces to detect the IP addresses that are propagating http traffic to port 80. You will have to look out for port 0050 under destination port when you perform a show ip cache flow. Cheers. - Original Message - From: Dennis Bailey To: [EMAIL PROTECTED] Sent: Tue, 14 Aug 2001 15:34:19 -0400 Subject: Re: CODE RED protection ! ! ! [7:15989] Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) ** The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. This message and any attachments have been scanned for viruses. Orbiscom Ltd. will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. www.Orbiscom.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16146t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: CODE RED protection ! ! ! [7:15989]
There are a couple links that discuss how do this but require features like NBAR to be sucessful. However, I do not see a link anywhere in this reply, so here goes. http://www.iponeverything.net/CodeRed.html http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml Hope those help. -- Kevin Hi The problem is that I do have web servers on my network, blocking port 80 would stop these web servers . Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... my company just got hit by code red last week. the only logical thing to deploy on your routers is to block all access to port 80 in and out of all the interfaces by ACL. Unless you have the luxury of running IOS 12.1 and above on all your routers, you will not be able to use NBAR. Deployed the ACLs onto all interfaces to control all port 80 traffic. Use ip route-cache flow and show ip cache flow on your interfaces to detect the IP addresses that are propagating http traffic to port 80. You will have to look out for port 0050 under destination port when you perform a show ip cache flow. Cheers. - Original Message - From: Dennis Bailey To: [EMAIL PROTECTED] Sent: Tue, 14 Aug 2001 15:34:19 -0400 Subject: Re: CODE RED protection ! ! ! [7:15989] Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) Nondisclosure violations to [EMAIL PROTECTED] understand, v.: To reach a point, in your investigation of some subject, at which you cease to examine what is really present, and operate on the basis of your own internal model instead. - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16148t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re: CODE RED protection ! ! ! [7:15989]
Blocking all access to port 80? ... must be nice to have that much leeway in what you are able to block. There are free scanners available to scan entire class-c equivalent network blocks for vulnerable /or infected systems ... run it, then patch/repair/reboot those machines. Thanks! TJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 15, 2001 4:06 To: [EMAIL PROTECTED] Subject:Re: Re: CODE RED protection ! ! ! [7:15989] my company just got hit by code red last week. the only logical thing to deploy on your routers is to block all access to port 80 in and out of all the interfaces by ACL. Unless you have the luxury of running IOS 12.1 and above on all your routers, you will not be able to use NBAR. Deployed the ACLs onto all interfaces to control all port 80 traffic. Use ip route-cache flow and show ip cache flow on your interfaces to detect the IP addresses that are propagating http traffic to port 80. You will have to look out for port 0050 under destination port when you perform a show ip cache flow. Cheers. - Original Message - From: Dennis Bailey To: [EMAIL PROTECTED] Sent: Tue, 14 Aug 2001 15:34:19 -0400 Subject: Re: CODE RED protection ! ! ! [7:15989] Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16154t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CODE RED protection ! ! ! [7:15989]
Hamid- As great as the desire is to just block access to a port, or oversee all traffic, sometimes it's just not reasonable to do so. I'm assuming that you are with an ISP from your reference to customers. Since you really can't just block 80, as has been suggested, might I suggest a different approach. Use of a competent Intrusion Detection System will easily show you the IP addresses of infected systems. If you take any addresses that are sending out attacks that belong to your customers and then inform the customer that they are infected, you could at least let them know that they need to fix the problem. If they don't you have the option of turning off their connection, but that is entirely up to you and what you can do as a business. As far as Intrusion Detection Systems, you don't need to spend a lot of money to set one up. There are some great linux/windows based systems out there that are freeware. Andras -Original Message- From: Hamid [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 15, 2001 2:37 AM To: [EMAIL PROTECTED] Subject: Re: CODE RED protection ! ! ! [7:15989] Hi The problem is that I do have web servers on my network, blocking port 80 would stop these web servers . Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... my company just got hit by code red last week. the only logical thing to deploy on your routers is to block all access to port 80 in and out of all the interfaces by ACL. Unless you have the luxury of running IOS 12.1 and above on all your routers, you will not be able to use NBAR. Deployed the ACLs onto all interfaces to control all port 80 traffic. Use ip route-cache flow and show ip cache flow on your interfaces to detect the IP addresses that are propagating http traffic to port 80. You will have to look out for port 0050 under destination port when you perform a show ip cache flow. Cheers. - Original Message - From: Dennis Bailey To: [EMAIL PROTECTED] Sent: Tue, 14 Aug 2001 15:34:19 -0400 Subject: Re: CODE RED protection ! ! ! [7:15989] Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16159t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
re: CODE RED protection ! ! ! [7:15989]
[demime could not interpret encoding binary - treating as plain text] http://www-search.cisco.com/pcgi-bin/search/public.pl?q=code+rednum=10searchselector=0 - Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid This email was sent through the free email service at http://www.anonymous.to/ To report misuse of this service, please contact: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15992t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CODE RED protection ! ! ! [7:15989]
NBAR on the routers can help stop code red. watch the wrap... http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml HTH Eric -Original Message- From: Hamid [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 6:14 AM To: [EMAIL PROTECTED] Subject: CODE RED protection ! ! ! [7:15989] Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16004t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CODE RED protection ! ! ! [7:15989]
in addition to the NBAR links that have been provided, you may also want to look into fltering of the output of code red machines. over on the NANOG group there has been extensive discussion of code red and various actions to take. www.nanog.org look for the e-mail archives. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Hamid Sent: Tuesday, August 14, 2001 3:14 AM To: [EMAIL PROTECTED] Subject: CODE RED protection ! ! ! [7:15989] Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16027t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CODE RED protection ! ! ! [7:15989]
Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi group I have some costumers whom I belive are infected with CODE RED. Any ideas how I can deny any traffic related to CODE RED on my router? Thanks Hamid Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16077t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]