CR worm infection attempts

Lowell Hamilton plug-discuss@lists.PLUG.phoenix.az.us
Sun, 05 Aug 2001 15:09:39 -0700


Publishing this information is, imho, a very good idea for this worm. 
There are already several other strains and the script kiddies have
started writing their own to say their "gr33tz".  Since there are well
over 200k machines still vulnerable and actively probing.  Many of these
hosts are starting to be used for other exploits and will continue to do
so until these lazy admins or ignorant users patch their machines.  I've
been getting around 2500-4000 attempts an hour all day today! 

SecurityFocus and several other organizations have been publishing ip
lists and notifying admins of the probes since the first round of the
infection, so if just one person fails to post the ips they have probed,
there are dozens more that have.  If would-be hacker wanted to get an
exploited host list, all they need to do is get a couple friends to list
the hosts that they have been hit by since Aug1, and that alone is
probably 30k hosts to play with. 

Lowell

 


Wayne Conrad wrote:
> 
> On Sun, 05 August 2001, "J.Francois" wrote:
> > I got tired of counting and just started putting the info into my IDS page.
> > That way I can send complaints and point them to a URL so I don't have to
> > keep recreating the same data each time.
> 
> Are you putting the IP's up too?  Every one of the CRII infected boxes is rooted...  I wonder about the goodness of publishing a list of known rooted boxes.
>     Wayne
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss