Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red Back For More

Posted by timothy on from the more-bells-more-whistles dept.

Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.

5 of 866 comments (clear)

  1. Re:If this can't break Microsoft's back nothing wi by IronChef · · Score: 5, Insightful


    Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.

  2. What are you talking about? by whatnotever · · Score: 4, Insightful

    "Code red algorithm"??? It's called a random ip scan. In this variation, it's called a scan of the local subnet with a random ip thrown in every now and then. There's nothing special about it.

    It's fast because that's how exponential growth works.

  3. Re:A few more details by nebby · · Score: 5, Insightful

    I haven't done any analysis of the worm myself, but has anyone questioned the possibility that this new version is phase two of the original worm? Not the same code per say, but perhaps the old code red does something to tell the new code red to "come here" or something?

    The fact the old code red is turned off tells me that they might be linked to the same person/organization or something.. if I were some independant cracker I wouldn't bother getting rid of the old one since that's another thing which might break when I launch the new worm.

    --
    --
  4. It's not safe to install IIS while on a network... by weave · · Score: 5, Insightful
    With this high a number if scans it is now suicidal to install IIS while connected to the net. Chances are very good that your box will get compromised before you have a chance to apply the patch, even if you do so right away. And since people can easily set up a reverse hack to automatically do other nasty stuff to your box after THEY get probed, the risk is even higher.

    Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.

  5. Why don't they... by Greyfox · · Score: 4, Insightful

    Modify the code red code to apply the security patch to the vulnerable IIS servers and reboot the system? While this is potentially destructive to your system (I'm told -- MS security patches and all that) it would pretty well take care of this problem...

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?