Re: [cobalt-users] Code Red variations

["Kevin D" <kdlists@xxxxxxxxxxxxxxx>]

From: "Oblix" <oblix@xxxxxx>

> patch their system. As an example: Admin 1 has a vulnerable and infected
> system. His system did 100 attempts to infect others. This generated a
> traffic of lets say (It's an example) 10KB. If all 100 others send him an
> email that he has been comprised and that he should take action, only
these
> emails would generate 1 MB of datatraffic.

Lets see... if code red generats 10KB of data traffic per host, why does
each email have to generate 10KB of data traffic in response? Are you
planning to send a short story in response to an infection attempt? I'd say
your email would probably generate less than 1KB of traffic. And, judging
from how often my server has been hit (maybe once an hour, if that), those
emails would be spread over a great deal of time. I don't think traffic is
going to be a problem.

> >Dunno, just trying to come up with some kind of response other than
> >sitting here helplessly watching my logs and stats fill up with this
> >useless crap...

You can give these IPs to the people at Security Focus
(www.securityfocus.com). They have an email system setup with which they are
constructing a large database of infected systems. They are using this
database to notify affected system admins.

Actually, the chances are that the infected system admins have already been
notified via email, but either no one's checking those email accounts or the
system admins don't understand or care about the problem.

My adivce? Ignore the log entries. Code Red is now just one more antiquated
exploit that will continue to affect only admins who don't know enough to
patch their systems (like the bind offerflow, rpc vulnerabilities, etc etc
etc).

Kevin