Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red II: Shells for the Taking

Posted by CmdrTaco on from the it-keeps-getting-more-and-more-comical dept.

sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

4 of 602 comments (clear)

  1. Help track this: submit your logs to dshield! by mjh · · Score: 5, Informative
    You might want to consider submitting your apache logs to dshield. This will help keep track of the extent of this problem as well as help to analyze where it may have originated. If the dshield folks can correlate the earliest attacks of the latest variant, they have a chance at finding where this thing originated.

    Submissions can be made by following these instructions.

    --
    Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
  2. Killing small ISPs by Alien54 · · Score: 5, Informative
    I know of at least one small ISP that had very serious problems this week.

    First one of the top dogs in the place sent sircam throughout the company. This was a really bad hair day.

    Then they had a separate second problem where user mail boxes flooded out crashing the mail server, among other strange things. Imagine users with DSL lines sending out multimegabyte files that bounce. Considering that most ISPs configure the drive space for mail based on average usage of users, and do not set aside the actual amount of drive space for user mail, etc. that has been promised for all users.

    BOOM!

    If this keeps happening, this is going to be bad for business in a lot of places.

    --
    "It is a greater offense to steal men's labor, than their clothes"
  3. Securityfocus asks for IPs by mawis · · Score: 5, Informative

    To notify the administrators of the attacking servers you can send their IP followed by the date and time of the attack to aris-report@securityfocus.com. - Please use this format because it's a robot address. http://securityfocus.com/announcements/310

  4. A Warning to Whitehats by Ms.Taken · · Score: 5, Informative
    Anyone working on scripts which respond to Code Red attacks by patching the originating server should read this cnet article, which calls that approach 'hack-back'.

    From the article:

    The FBI has dismissed using any hack-back tactic as well. "It is not something that we could consider," said spokeswoman Debbie Weierman. "It would basically be viewed as an unauthorized intrusion."

    It's not clear from the article whether such an 'unauthorized intrusion' by a private citizen would be illegal, but it might be worth thinking about before you go riding out to do battle with the Red Worm.