Re: [cobalt-users] Code Red variations

[Oblix <oblix@xxxxxx>]

At 05:53 7-8-2001 -0400, you wrote:
> I'm still getting attempts with both NN and XX. Don't worry too much
> about it, as it can't affect your Linux box (yet - wait for version
> 3/4). Just keep an eye on it and see if you can get your ISP or NOC
> to block those attempts, if they can...
>
> Hmm, that makes me wonder. I have an idea!
> How about making a default server-wide page (like how an error
> document is set up) that responds to "default.ida?*"
> Requests to that could be redirected to a script (CGI or PHP) that
> grabbed the IP of the machine and tossed it into IPChains to be
> denied. It wouldn't stop the first request from each machine, of
> course, but it would stop any repeated requests.
> Which begs the question - ARE there any repeated requests? I haven't
> looked in my logs for this, maybe someone else already has.

Probarbly there will be some repeated requests. However, CR uses some sort 
of random functioning. But IMHO this is not worth checking.
But's lets say you would deny access from these ips. If you have 100-150 
requests a day then this is could be done. But if you have so less hits, 
why bother setting up this wall???? If you have 4 or more requests per 
MINUTE!!!, then I think you would be insane to setup this wall. It's just a 
matter of disconnecting yourself from the Internet. Something like: "Gosh, 
I haven't have had any CRs since yesterday. But hey!!!, I can't hook up 
with the rest of the world " Not preferable I think :)

> Another idea is that the script would generate a whois on the IP and
> fire off an email to the IP's owner or upstream alerting them that
> they're infected and to take action?
We all know that CR nasty habit is spreading rapidly and searching for 
other victims. Do you know how much data-traffic this generates??? And then 
we come up with sending these poor Microsux Admins emails that they should 
patch their system. As an example: Admin 1 has a vulnerable and infected 
system. His system did 100 attempts to infect others. This generated a 
traffic of lets say (It's an example) 10KB. If all 100 others send him an 
email that he has been comprised and that he should take action, only these 
emails would generate 1 MB of datatraffic. Can you imagine the scenario 
when we are talking about more than 600.000 unique source ip's which have 
been infected????? Code Red wouldn't kill the infrastructure, WE would.

> Dunno, just trying to come up with some kind of response other than
> sitting here helplessly watching my logs and stats fill up with this
> useless crap...
> --

IMHO I think this is the only thing we can do. Almost everbody knows that 
they should patch MicroSux :)


> CarrieB
> "The point to remember is that what the government gives, it must
> first take away." --John S. Coleman

Sorry for my poor English :) I just felt like reacting to this post. NO 
hard feelings about you CarrieB. :)

Greetz,


Jozua Lagendijk

Hosting4all
Uniestede 9
4701 NR Roosendaal
The Netherlands
Tel. +31 (0) 165-391850
Fax +31 (0) 165-392610
http://www.hosting4all.nl

*Note: Op alle Hosting4all-diensten zijn onze algemene voorwaarden van 
toepassing. Deze zijn terug te vinden op http://www.hosting4all.nl*