Slashdot Mirror

← Back to Domains

Domain: incidents.org

Stories and comments across the archive that link to incidents.org.

Comments · 74

  1. Re:Hotmail running Windows again? by Jucius+Maximus · · Score: 1 · on Hotmail Servers Shut Down by Code Red
    "Hmmmm, redirected eh? I wonder if they have read this?"

    Unlikely. I suspect that the admins are too busy responding to the requests for advice that have been pouring in lately :P .

  2. Re:Hotmail running Windows again? by finite_automaton · · Score: 1 · on Hotmail Servers Shut Down by Code Red
    So they moved it over to an MS platform. According to my scanner, it's running IIS 5.0.
    [64.4.53.7:80] World Wide Web HTTP
    HTTP/1.1 302 Redirected..Server: Microsoft-IIS/5.0..Date: Thu, 09 Aug 2001 14:48:33 GMT..Location: http://lc2.law5.hotmail.passport.com
    Hmmmm, redirected eh? I wonder if they have read this?

    I wonder if IIS 5.0 is vulnerable as well?
  3. Re:Smoke and Mirrors? by Anonymous Coward · · Score: 0, Informative · on Hotmail Servers Shut Down by Code Red
    Right you are... from incidents.org

    WinNT/IIS-4.0 with URL Redirection Still Vulnerable After Patch http://www.incidents.org/diary/diary.php#801

  4. Windows NT servers by tringstad · · Score: 5, Informative · on Hotmail Servers Shut Down by Code Red

    I submitted this as an article this morning, but as it is still pending, and both my home and work servers are still under constant annoyance, I figured I'd pass it on here as well. If you are running a Windows NT server, kindly do us all a favor and just turn it off for a few months.

    According to yesterday's Handler's Diary on www.incidents.org, "Microsoft has confirmed that if an IIS 4.0 webserver is using URL redirection, it is still vulnerable to Code Red even if the Microsoft patch is installed". The only known solution is to remove all URL redirections from NT servers running IIS 4.0.

    -Tommy

  5. Windows NT servers by tringstad · · Score: 5, Informative · on Hotmail Servers Shut Down by Code Red

    I submitted this as an article this morning, but as it is still pending, and both my home and work servers are still under constant annoyance, I figured I'd pass it on here as well. If you are running a Windows NT server, kindly do us all a favor and just turn it off for a few months.

    According to yesterday's Handler's Diary on www.incidents.org, "Microsoft has confirmed that if an IIS 4.0 webserver is using URL redirection, it is still vulnerable to Code Red even if the Microsoft patch is installed". The only known solution is to remove all URL redirections from NT servers running IIS 4.0.

    -Tommy

  6. Re:What the hell, The patch doesn't work by Whiplash42 · · Score: 4, Funny · on Hotmail Servers Shut Down by Code Red

    Actually, the MS provided patch doesn't work against Code Red if you have URL forwarding on your server. I bet they have it enabled, and so they were left open...

  7. Re:Cutting off port 80? by niccodicco · · Score: 1 · on Code Redux

    AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm

    I don't really see how this will help either. If you're running an unpatched IIS connected to the net, you'd been scanned and rooted a couple of thousand times by now. If you look at the graphs on incidents.org, you'll see the worm isn't really spreading any more. It's just flooding.

  8. How Code Red uses sockets... by Scott+Robinson · · Score: 5, Informative · on Slashback: Exactitude, Fortitude, Picnic

    Umm, I hate to be the damper in evil plans for Code Red ...

    ... but according to incidents.org and other virus websites, Code Red uses non-blocking socket connections "uses a nonblocking socket to connect to each target. Specifically this means that if one thread is stuck waiting for a slow connection to a particular target, the wait will not slow down the rest of the threads from continuing their scanning function."

    Any servers which "wait" are just wasting their own processor and memory.

    Scott.

  9. Some Individual Forensics by VB · · Score: 1 · on Code Red II: Shells for the Taking


    Are here.

    Frustrated by the lack of any current stats on this from DShield, or Incidents short of the update on the 4th, I collected some stats that might give some indication of where this thing is going. Peak times at 1300 and 1400 MST. Not sure what this means, but seems consistent.

  10. CodeRedNeck by RoyalTS · · Score: 3, Interesting · on Code Red Back For More

    Check out this heise.de article (in German, sorry)!!! Somebody apparently programmed a little Linux tool that may be able to slow the spread of the worm down a little. The idea was first introduced in the incidents.org forum. May be worth a look.

  11. New Code Red Variant by cfreeze · · Score: 1 · on Code Red Back For More

    I sent this in as an anonymous story, but it looks like this one got posted instead. According to www.incidents.org there is a new variant of Code Red (of which this would be the third version). This one installs a backdoor. As someone else posted here, the tell tell sign is that the buffer overwrite payload is now a string of 'X's and not 'N's as in the previous two versions of Code Red. The stakes have been raised folks.

  12. a quick fix by Swordfish · · Score: 2, Informative · on Code Red Back For More
    Here's a perverse idea for a quick fix for CR2.

    First, see here for how to telnet into the back door left by all CR2 infections. Second, write a script to telnet to all infected hosts which probe you on port 80 and shut down the offending machine. Third, run this script on your web server so that all hosts probing your site get shut down.

    If everyone did this, then CR2 would disappear off the net within 24 hours, and we could all rest easy!

  13. How is www.incidents.org getting so many attacks? by KlomDark · · Score: 1 · on Code Red Reporting That Doesn't Suck
    I'm curious how they are getting the numbers for the graph at www.incidents.org... If Red Code RANDOMLY generates IP addresses to try, then I have the same chance of getting attacks on my web site that they do. My usage graph for the Reflective Puddle of Leaking Mental Ooze only shows about 65 attempts so far...

    What gives? How are they getting 150,000+?

  14. Re:How do they know 22,000 servers were infected.. by david+duncan+scott · · Score: 2 · on Code Red Goes The Way Of Y2K

    They describe it in broad terms, but it boils down to log entries and unique source IP's.

  15. Re:NEW DATA [was Re:Geometric growth.] by imipak · · Score: 2 · on Code Red Goes The Way Of Y2K
    I find it interesting that I've been scanned once already on my home dialup. As I'm paying UK connection charges and I'm rather broke at present (see .sig) I tend to go online for short periods, collect/send mail and grab a ton of pages for offline reading. (I'm even writing this offline in emacs.) If I'm getting hit during those very narrow windows of opportunity, it implies there's a rather large number of scans taking place.

    OTOH, when Incidents isn't Slashdotted, it looks like the curve is flattening out at around 25% of the total infected last time - about 60,000 +/- 5000 is my guess. The question is, is that enough infected hosts to cause enough ARP floods to impact global connectivity. So far connectivity has been patchy for me - jobserve was down all afternoon, a couple of other sites were patchy, everything else was OK. Same as normal, in other words.

  16. Re:Billions of dollars spent... by Morrigu · · Score: 1 · on Code Red Goes The Way Of Y2K
    Not yet, anyway. It's still spreading at a logarithmic rate, like a biological virus. I'm seeing hits from the worm increase by an order of magnitude every 4-5 hours, starting from last night. The graphs at http://www.incidents.org show the same kind of behavoir for their systems.

    It'll start out small, but it doesn't take long to become a Real Big Problem at this rate.

  17. Re:Am I the only one besides beanspace... by beanerspace · · Score: 1 · on Code Red Goes The Way Of Y2K

    I'm not sure if we're the only ones, but I still say Screw It ! Incidents.Org is reporting expotential growth, it's a warm 80 degrees out, with a mild breeze. Let's go fishin !

  18. Not Quite by espo812 · · Score: 2, Informative · on Code Red Goes The Way Of Y2K

    incidents.org is tracking the spread. It still looks to be on its exponental path to death and destruction of the Internet (sarcasm included.) As of this post, incidents reports 22,000 infected (up from ~13500 an hour earlier.) It's too early yet to tell how this will pan out.

  19. Sheesh by Mike+Hicks · · Score: 2 · on Code Red Goes The Way Of Y2K

    Look, it's not going to destroy the internet. It's not going to be a tempest in a teacup either. incidents.org reports 22,000 infections at this point. I've recorded 4 hits so far this morning (though I got nearly 30 the last time around).

    For the media to go nuts, it took press conferences and press releases from the FBI and Microsoft. Those big organizations aren't making the same noise about Sircam (or Sklyarov, or...).

  20. Y2K My Ass by SpunOne · · Score: 1 · on Code Red Goes The Way Of Y2K

    Well, if you look at the graphs available at incidents.org you can see that this outbreak has been growing slowly, but the growth rate is substantial. It may not be the end of the Internet, but it's certainly something to keep an eye on.

  21. Not out of the woods yet by asc4 · · Score: 1 · on Code Red Goes The Way Of Y2K
    I suspect that the news media can only handle pushing FUD and hysteria for one threat at a time. It is interesting to note, though, that growth of infections is again showing exponential growth, which begs the question...given all the hyperventilating even the mainstream media has done over Code Red, how can you not have patched your servers by now?!?

    Andrew

  22. Re:What I love... by Anonymous Coward · · Score: 1 · on On the Definition of a Hostile Network Connection?
    Have you set your firewall to block the DHCP server?

    Wrong question. Things like this don't happen because people carefully aim their shotguns at their own feet, they happen because they don't think through the consequences of their actions and end up shooting themselves in the foot anyways. They said "block the world!" and it did. DHCP, too.

    No one should block ANYTHING in a non-emergency situation without getting complete network captures for a week. Or more. And then understanding each and every packet, even if their conclusion on some of the packets is simply "I have no clue where that came from or why!"

    But no: here, buy this, install it, and set it to 'Paranoid' mode, and then start spamming the contacts at Fortune 50 companies when you can't figure out why you got a RST/ACK from port 80 on the web server to which you were talking. And yes, I DO have to reply to such people. I try to be nice, I really do, because I know how frightened and overwhelmed they must feel.

    Earth to all BlackIce and ZoneAlarm users: Read SANS' Internet Storm Watch for a week or two before you send me ANY more mail. Please?

  23. Incident Handlers by winterstorm · · Score: 1 · on Attack Registry And Intelligence Service

    GIAC has a similar system already at incidents.org. They assign a "handler" to be on duty at any given time, and all incident reports are filtered through the handler. Someone might submit falsified logs, but unless a lot of sources report the same incidents they problably won't get much mention.

  24. GIAC Has a Similar System by winterstorm · · Score: 2 · on Attack Registry And Intelligence Service

    Incidents.org is run by the Global Incidents Analysis Center which is associated with the SANS institute. It's be operating for a while and the "current detects" section is very valueable for those of us who have to address day-to-day security issues.

    GIAC assigns a "handler" to be on-duty at any given time. All the reported incidents are filtered through the handler.