Re: Module to catch (and warn about) Code Red
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 4:17 PM -0500 8/5/01, Les Mikesell wrote: >The descriptions I've seen indicate that it has a flaw in >the attempt to pick random targets. It always uses the >same seed so every instance runs through the same addresses >in the same order. That means you will get hit by the same That was version 1. Version 2 (during the first attack) fixed that. And we are now at a completely new generation of the worm which uses the same basic method, but has much deadlier payloads. More to the point, the people who are running vulnerable servers are very likely (an some tests have verified this) to be vulnerable to other attacks--so they definitely need a wakeup call. - -- Kee Hinckley - Somewhere.Com, LLC http://consulting.somewhere.com/ I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. -BEGIN PGP SIGNATURE- Version: PGP Personal Security 7.0.3 iQA/AwUBO26PjCZsPfdw+r2CEQLuAwCgr32ufjACaRBILNFnpQMAAv2RDOYAmQEJ e/zI1wtQn/Ik0OE2YcFyfZ++ =Hyi4 -END PGP SIGNATURE-
Re: Module to catch (and warn about) Code Red
On Sun, 5 Aug 2001, Les Mikesell wrote: > The descriptions I've seen indicate that it has a flaw in > the attempt to pick random targets. That was only the first version of "Code Red I", "Code Red II" (which is the one that is scanning "in your neighborhood" (close netblocks)) doesn't have that "flaw". http://www.unixwiz.net/techtips/CodeRedII.html http://braddock.com/cr2.html Whatever OS you are running, make sure to install those patches! - ask -- ask bjoern hansen, http://ask.netcetera.dk/ !try; do(); more than 100M impressions per day, http://valueclick.com
Re: Module to catch (and warn about) Code Red
The descriptions I've seen indicate that it has a flaw in the attempt to pick random targets. It always uses the same seed so every instance runs through the same addresses in the same order. That means you will get hit by the same box if it has been rebooted and then re-infected (and that it is almost sure to be re-infected if the patch has not been applied). Les Mikesell [EMAIL PROTECTED] - Original Message - From: "Todd Finney" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 05, 2001 9:51 AM Subject: Re: Module to catch (and warn about) Code Red > > I don't think this is an issue. Someone more familiar with the virus > can chime in, but the information that's out there on it seems to > indicate that it's not going to pick the same IP twice, except by > chance.
Re: Module to catch (and warn about) Code Red
At 10:00 AM 8/5/01, Reuven M. Lerner wrote: > > Alessio Bragadini writes: > Alessio> The problem I see: is this module sending out a message > Alessio> every time, resulting to multiple messages to the same > Alessio> web/postmaster? > Alessio> My fear is that we substitute a virus with another... > >But of course, you're right -- it's probably best to send them at most >one message per day. More than that won't necessarily get the message >across any more effectively. > >I'll try to find some time later today to add this functionality. I don't think this is an issue. Someone more familiar with the virus can chime in, but the information that's out there on it seems to indicate that it's not going to pick the same IP twice, except by chance. http://www.unixwiz.net/techtips/CodeRedII.html On our main web server, I see 118 hits in the past 14 days, 117 of which are from unique addresses. cheers, Todd
[OT] Re: Module to catch (and warn about) Code Red
About 80% of the Code Red probes I get leave the message "Client sent malformed header" in my error_log. Just curious if others are seeing this?