temporarily offline

Wayne Conrad plug-discuss@lists.PLUG.phoenix.az.us
20 Jul 2001 06:01:28 -0700


Hey, that sounds like the Code Red virus.  Up until last evening it was ramping up like crazy trying to infect IIS boxes (at least 300k+ infections on an unknown number of machines).  It hit my Apache box 25 times Thursday.  It's been going strong since Tuesday or Wednesday, but has been in the world before that.  It scans "random" IP's but using a fixed seed, so always the same IP's in the same order.  If your IP was low in its sequence, you'd get hit earlier, before tons of boxes were infected.  If your IP is high in its sequence, it takes longer before you notice it.

Anyhow, the posters on Bugtraq have been noticing that some network devices with web management capability are being taken down by the HTTP request that the worm is making (although the worm is going after IIS, it sends the same HTTP GET to every IP it scans, whether that IP is running IIS or not).  It's been mentioned that some network devices are vulnerable even if the web management capability has been disabled or made accessable only on the local interface (bug in the device).  Certain Cicso routers have been mentioned, as have other makes.

If that's the cause, then it actually isn't US West's fault.  Although it's kind of puzzling that they don't fess up and say that it's a worm that did it.  They obviously know what's causing it if they know the fix.

The worm went out of infection mode last night at 1700 MST (0000GMT Friday), so it's the cause, you shouldn't see any more problems of this kind until next month when it goes back into viral mode.

Check out bugtraq (securityfocus.com) for more poop in this bad little bug.

  Wayne

On Thu, 19 July 2001, "Craig White" wrote:
> 
> Qwest had a nationwide problem - for which they have squarely blamed Cisco.
> 
> For all those using Qwest DSL as line and ISP providers, it appears that
> there is no alternative but to connect a management cable to your Cisco
> router, enter enable mode, set web disable, write and reboot. This is
> despite the fact that the web features would not normally be enabled anyway.
> 
> This is apparently all that was necessary to fix several of my customers
> today but of course, it cost them all dearly and wore my butt out.
> 
> I can't wait to see the class action lawsuit on this.
> 
> My guess is that is exactly the problem that hawke is experiencing but he's
> got his own blame game going.
> 
> Craig
> 
> > -----Original Message-----
> > From: plug-discuss-admin@lists.plug.phoenix.az.us
> > [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of
> > technomage-hawke@qwest.net
> > Sent: Thursday, July 19, 2001 8:31 PM
> > To: plug-discuss@lists.plug.phoenix.az.us
> > Subject: temporarily offline
> >
> >
> > well guys,
> > qest has earned the big joke of the week award.
> > after numerous service problems and other major hassles, my
> > account was cancled earlier this week. I wasn't notified of this
> > until after I called in to inquire why my circuit died..
> >
> > I am now offline (again for the 5th time in 7 days).
> > when I am again back online, I will forward a copy of a letter
> > I drafted and posted to the consumer affairs division
> > of the Arizona State Attorney general.
> >
> > Given everything else, it will make a very interesting read.
> >
> > until my circuit returns to live condition, I am without access
> > to the net (save for remote connection via friends or the library).
> >
> > Technomage Hawke
> >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail
> > doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss