Re: code red goes on
On Mon, 6 Aug 2001, Chris Niekel wrote:
>On Sun, Aug 05, 2001 at 07:02:35PM -0600, John Galt wrote:
>> [...]
>> CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a
>> pseudo-r00tkit. If the IIS admins didn't learn the first time, they got
>> screwed hardcore the second. Not even a reacharound this time.
>
>I get hit every 2 minutes. And apparently lots of computers are now
>advertising that they can be remotely controlled. Wouldn't it be nice if
>there were some 'hack' to send to such a server so that it gets fixed.
>I've got a list of hundreds of ip's of IIS-servers almost begging for an
>antidote!
Telnet to port 80 of the affected server. You'll get a rootshell, add the
file C:\noworm. This will (hopefully, I'm using CR's fix on CR2's
rootshell) prevent it from broadcasting all the junk.
>My stats for today (20 hours): 601 CodeRed2's, 8 CodeRed1's. With my
>cablemodem it looks like my whole country is infected. Although it's
>only 268 unique ip's. CodeRed2 attempts to spread a lot more than 1.
CR2 is actually seeming to have a twist in it's IP picker that weights it
to the subnets where cable/dsl users are the rule.
>Well, better start ignoring the output.
>
>Greetings,
> Chris Niekel
>
>
--
Sacred cows make the best burgers
Who is John Galt? galt@inconnu.isu.edu, that's who!!!
Reply to: