[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: OT RE: [cobalt-users] Code Red variations
- Subject: RE: OT RE: [cobalt-users] Code Red variations
- From: Dom Latter <DLatter@xxxxxxxxxxxxxxx>
- Date: Tue Aug 7 00:48:37 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Not to extend this way OT topic too much, but it's possible
Well, it's more interesting than "how do I change the default
home page"....
> that the IP
> blocks the worm targets are all in the US. e.g., if it only targets
> 198.*.*.* or some other ARIN/US based blocks. Which may be why the
> whitehouse.gov site was the original target.
Just to make it clear, the original comment was about the Code
Red worm. Code Red generates "random" IP addresses to attack;
each infection however starts with the same seed to the random
number generator so the same IPs are always generated. It is
*possible* that the majority of this pseudo-random list of IPs
are US based.
But it is a fact that I'm getting plenty of Code Red (and Code
Red 2) hits in my logs.
It's worth pointing out at this point that CR and CR2 are
entirely separate, they just happen to use the same vulnerability
in IIS. Also, CR2 has a neat trick to make it more likely
that the randomly generated IP is for real, by trying adddresses
in the same Class A or Class By subnet.
So, in fact, CR2 *is* likely to infect other machines in
geographical proximity, but this does not apply to Code Red.
http://www.mcabee.org/lists/nanog/msg03152.html for more
on Code Red. For more on CR2:
http://www.eeye.com/html/Research/Advisories/AL20010804.html