Re: Re: CODE RED protection ! ! ! [7:15989]
my company just got hit by code red last week. the only logical thing to deploy on your routers is to block all access to port 80 in and out of all the interfaces by ACL. Unless you have the luxury of running IOS 12.1 and above on all your routers, you will not be able to use NBAR. Deployed the ACLs onto all interfaces to control all port 80 traffic. Use "ip route-cache flow" and "show ip cache flow" on your interfaces to detect the IP addresses that are propagating http traffic to port 80. You will have to look out for port 0050 under destination port when you perform a "show ip cache flow". Cheers. - Original Message - From: "Dennis Bailey" To: [EMAIL PROTECTED] Sent: Tue, 14 Aug 2001 15:34:19 -0400 Subject: Re: CODE RED protection ! ! ! [7:15989] Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. ""Hamid"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi group > > I have some costumers whom I belive are infected with CODE RED. Any ideas > how I can deny any traffic related to CODE RED on my router? > > Thanks > > Hamid -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16140&t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re: CODE RED protection ! ! ! [7:15989]
have your check this link http://www.cisco.com/warp/public/63/ts_codred_worm.shtml Thanks Erwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 15, 2001 3:06 PM To: [EMAIL PROTECTED] Subject: Re: Re: CODE RED protection ! ! ! [7:15989] my company just got hit by code red last week. the only logical thing to deploy on your routers is to block all access to port 80 in and out of all the interfaces by ACL. Unless you have the luxury of running IOS 12.1 and above on all your routers, you will not be able to use NBAR. Deployed the ACLs onto all interfaces to control all port 80 traffic. Use "ip route-cache flow" and "show ip cache flow" on your interfaces to detect the IP addresses that are propagating http traffic to port 80. You will have to look out for port 0050 under destination port when you perform a "show ip cache flow". Cheers. - Original Message - From: "Dennis Bailey" To: [EMAIL PROTECTED] Sent: Tue, 14 Aug 2001 15:34:19 -0400 Subject: Re: CODE RED protection ! ! ! [7:15989] Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. ""Hamid"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi group > > I have some costumers whom I belive are infected with CODE RED. Any ideas > how I can deny any traffic related to CODE RED on my router? > > Thanks > > Hamid -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16142&t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: CODE RED protection ! ! ! [7:15989]
Hi The problem is that I do have web servers on my network, blocking port 80 would stop these web servers . Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > my company just got hit by code red last week. the only logical thing to > deploy on your routers is to block all access to port 80 in and out of all > the interfaces by ACL. > > Unless you have the luxury of running IOS 12.1 and above on all your > routers, you will not be able to use NBAR. Deployed the ACLs onto all > interfaces to control all port 80 traffic. > > Use "ip route-cache flow" and "show ip cache flow" on your interfaces to > detect the IP addresses that are propagating http traffic to port 80. You > will have to look out for port 0050 under destination port when you perform > a "show ip cache flow". > > Cheers. > > - Original Message - > From: "Dennis Bailey" > To: [EMAIL PROTECTED] > Sent: Tue, 14 Aug 2001 15:34:19 -0400 > Subject: Re: CODE RED protection ! ! ! [7:15989] > Depending upon the router platform you can use NBAR. > > I am just really depressed right now because there are costumers getting > involved in our business. I knew I wasn't the only one who liked to get > dressed up but now think of the pressure that there will be with > professionals out there.. > > > ""Hamid"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi group > > > > I have some costumers whom I belive are infected with CODE RED. Any ideas > > how I can deny any traffic related to CODE RED on my router? > > > > Thanks > > > > Hamid > -- > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > Check any e-mail over the Web for free at MailBreeze > (http://www.mailbreeze.com) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16145&t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re: CODE RED protection ! ! ! [7:15989]
Maybe Im mistaken on this, Correct me if im wrong, But isn't the code red worm exploiting a buffer overflow on MS Index server and from there infecting IIS. Shouldn't disabling MS Index Server resolve this ??? or remove the potential problem by removing the offending ISAPI filters, or even better Patch it with the hotfixs available and scan you network with the code red scanner regularly to ensure the problem has actually been addressed. D -Original Message- From: Hamid [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 15, 2001 10:37 AM To: [EMAIL PROTECTED] Subject: Re: Re: CODE RED protection ! ! ! [7:15989] Hi The problem is that I do have web servers on my network, blocking port 80 would stop these web servers . Hamid wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > my company just got hit by code red last week. the only logical thing to > deploy on your routers is to block all access to port 80 in and out of all > the interfaces by ACL. > > Unless you have the luxury of running IOS 12.1 and above on all your > routers, you will not be able to use NBAR. Deployed the ACLs onto all > interfaces to control all port 80 traffic. > > Use "ip route-cache flow" and "show ip cache flow" on your interfaces to > detect the IP addresses that are propagating http traffic to port 80. You > will have to look out for port 0050 under destination port when you perform > a "show ip cache flow". > > Cheers. > > - Original Message - > From: "Dennis Bailey" > To: [EMAIL PROTECTED] > Sent: Tue, 14 Aug 2001 15:34:19 -0400 > Subject: Re: CODE RED protection ! ! ! [7:15989] > Depending upon the router platform you can use NBAR. > > I am just really depressed right now because there are costumers getting > involved in our business. I knew I wasn't the only one who liked to get > dressed up but now think of the pressure that there will be with > professionals out there.. > > > ""Hamid"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi group > > > > I have some costumers whom I belive are infected with CODE RED. Any ideas > > how I can deny any traffic related to CODE RED on my router? > > > > Thanks > > > > Hamid > -- > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > Check any e-mail over the Web for free at MailBreeze > (http://www.mailbreeze.com) ** The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. This message and any attachments have been scanned for viruses. Orbiscom Ltd. will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. www.Orbiscom.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16146&t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: CODE RED protection ! ! ! [7:15989]
There are a couple links that discuss how do this but require features like NBAR to be sucessful. However, I do not see a link anywhere in this reply, so here goes. http://www.iponeverything.net/CodeRed.html http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml Hope those help. -- Kevin > Hi > > The problem is that I do have web servers on my network, blocking port > 80 would stop these web servers . > > Hamid > wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >> my company just got hit by code red last week. the only logical thing >> to deploy on your routers is to block all access to port 80 in and out >> of all the interfaces by ACL. >> >> Unless you have the luxury of running IOS 12.1 and above on all your >> routers, you will not be able to use NBAR. Deployed the ACLs onto all >> interfaces to control all port 80 traffic. >> >> Use "ip route-cache flow" and "show ip cache flow" on your interfaces >> to detect the IP addresses that are propagating http traffic to port >> 80. You will have to look out for port 0050 under destination port >> when you > perform >> a "show ip cache flow". >> >> Cheers. >> >> - Original Message - >> From: "Dennis Bailey" >> To: [EMAIL PROTECTED] >> Sent: Tue, 14 Aug 2001 15:34:19 -0400 >> Subject: Re: CODE RED protection ! ! ! [7:15989] >> Depending upon the router platform you can use NBAR. >> >> I am just really depressed right now because there are costumers >> getting >> involved in our business. I knew I wasn't the only one who liked to >> get dressed up but now think of the pressure that there will be with >> professionals out there.. >> >> >> ""Hamid"" wrote in message >> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >> > Hi group >> > >> > I have some costumers whom I belive are infected with CODE RED. Any > ideas >> > how I can deny any traffic related to CODE RED on my router? >> > >> > Thanks >> > >> > Hamid >> -- >> FAQ, list archives, and subscription info: >> http://www.groupstudy.com/list/cisco.html >> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] >> >> > > >> Check any e-mail over the Web for free at MailBreeze >> (http://www.mailbreeze.com) > Nondisclosure violations to [EMAIL PROTECTED] understand, v.: To reach a point, in your investigation of some subject, at which you cease to examine what is really present, and operate on the basis of your own internal model instead. - This email was sent using SquirrelMail. "Webmail for nuts!" http://squirrelmail.org/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16148&t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re: CODE RED protection ! ! ! [7:15989]
Blocking all access to port 80? ... must be nice to have that much leeway in what you are able to block. There are free scanners available to scan entire class-c equivalent network blocks for vulnerable &/or infected systems ... run it, then patch/repair/reboot those machines. Thanks! TJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 15, 2001 4:06 To: [EMAIL PROTECTED] Subject: Re: Re: CODE RED protection ! ! ! [7:15989] my company just got hit by code red last week. the only logical thing to deploy on your routers is to block all access to port 80 in and out of all the interfaces by ACL. Unless you have the luxury of running IOS 12.1 and above on all your routers, you will not be able to use NBAR. Deployed the ACLs onto all interfaces to control all port 80 traffic. Use "ip route-cache flow" and "show ip cache flow" on your interfaces to detect the IP addresses that are propagating http traffic to port 80. You will have to look out for port 0050 under destination port when you perform a "show ip cache flow". Cheers. - Original Message - From: "Dennis Bailey" To: [EMAIL PROTECTED] Sent: Tue, 14 Aug 2001 15:34:19 -0400 Subject: Re: CODE RED protection ! ! ! [7:15989] Depending upon the router platform you can use NBAR. I am just really depressed right now because there are costumers getting involved in our business. I knew I wasn't the only one who liked to get dressed up but now think of the pressure that there will be with professionals out there.. ""Hamid"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi group > > I have some costumers whom I belive are infected with CODE RED. Any ideas > how I can deny any traffic related to CODE RED on my router? > > Thanks > > Hamid -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16154&t=15989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]