CR worm infection attempts

Kim Allen plug-discuss@lists.PLUG.phoenix.az.us
Wed, 8 Aug 2001 18:47:48 -0700 (MST) 

Unfortunately that where the threat of legal action came from. I sent the 
message to the domain the server is in and I got a reply from another 
domain. When I checked that domain was the upstream provider. 

The funny thing is in the exchange of messages the comment out that all of 
the furor of code red taking up bandwidth on the internet was just something 
that the evil news media put out for public consumption. Yeah, right. In the 
past 4 hours I have 860+ hits from Code Red and Code Red II. I can only 
imagine what it is doing all over the internet.

> How about contacting their upstream ISP that is connecting them to the net and
> demanding they do something about <IP Address> attacking your systems.  See if
> you can get them cut off the net by the possibility of lawsuit for damages and
> costs incurred to to their negligence.
> 
> > <begin dissertation>
> > 
> > Most companies caught with their pants around their ankles always use
> > the 'legal action' response.
> > 
> > Nobody likes to admit that they missed something, or fscked up in some
> > way.  Over the years I've found that admins (especially those reponsible
> > for network security) fall into two categories:
> > 
> > 1) They are kick-ass, up-to-date, open to suggestions and make their
> > employers glad they hired them... not to mention like to spread their
> > wealth of knowledge around and learn at the same time.  These types
> > typically get 'lunch on the boss' frequently.  :-)
> > 
> > or
> > 
> > 2) They are slow-to-move, generally reactive as opposed to proactive and
> > tend to belittle anyone who tries to help them with an obvious problem.
> > Generally these types have large egos and small brains. *grin*  They are
> > typically the most tech-fluent person in their comapny, and usually what
> > they say goes.  God help anyone who wants to 'show them the light' or
> > interrupt their IRC session/Quake Match.
> > 
> > I have stopped contacting these Code-Red victims for a for reasons.
> > 
> > 1) I don't have time to play security cop for these places.
> > 2) I don't want any possible legal action against me for being a good
> > samaritan.
> > 3) I'm now under the opinion that if you run M$ server software and
> > don't take the responsibility (or follow up with those that do) to
> > install security patches for a worm that is broadcast on CNN every
> > night, you deserve all the trouble you're incurring/causing.
> > 
> > I'll be sleeping in my bed, dreaming of Kernel 3.0 and IPv6.  LOL
> > 
> > <end dissertation>
> > 
> > ~ Gary ~
> > 
> > On 08 Aug 2001 13:41:13 -0700, Kim Allen wrote:
> > > I've been contacting the sites that my server logs shows that have been
> > > hitting me with the code red signature and so far no one has bothered to
> > > respond except for one. However that site has told me how secure they are
> > > and how there is no way that they have any problems. When I sent them the
> > > portions of my server logs showing they do have problem they threaten
> > > legal action. Anyone else have had this type of response?
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>