Code Red Worm advisory
James Bell
plug-discuss@lists.PLUG.phoenix.az.us
Mon, 23 Jul 2001 01:31:33 -0700
Actually, whoever created the worm had put in the ip address for
www1.whitehouse.gov (note the number 1). The just blackholed that one
address and get the roundrobin/loadbalancing going without the one ip.
Any bets on the number of yahoos who don't get their IIS systems
patched before this coming friday night at 5pm (0:00GMT on the 28th),
when Code Red goes back to scanning the world instead of just DOS's
the whitehouse?
FYI, this worm has the two modes, between the 20th and 28th of a month
(midnight GMT) any infected systems have at least 100 threads that go
to trying to DOS the whitehouse. Every other day of the month, it
scans for IIS servers that have ever had MS Index server install,
running or not. Not to mention the fact that it replaces/defaces the
websites of the infected machine for up to 10 hours before going
dormant. Replaces is the better term since it just catches any web
requests and delivers the infamous "welcome to www.worm.com hacked by
chinese" message.
Wouldn't have been quite so bad if someone hadn't fixed the seed
generation of the ip address generation and released the updated worm
on wednesday night. Before that, it's spread was limited to ip address
that were a result of that fixed seed. The new version could hit any
ip on the net, and did in a matter of something like 12-16 hours. Damn
scary, and still hasn't gone away.
Matt Alexander wrote:
>
> Quoting Craig White <craigwhite@azapple.com>:
>
> > I checked - just for fun and <http://www.whitehouse.gov> is up and
> > running
> > so apparently they have figured out a method for deflecting the DOS
> > attacks.
>
> They managed to move www.whitehouse.gov to a different IP address before the
> attack occured.
> ~M
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss