Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Redux

Posted by michael on from the carpetbombing-the-new-economy dept.

I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage. Code Red [?] is hitting cable modem networks especially hard, as the new variants scan "nearby" IP's in preference to random ones, which has apparently caused enough damage and network congestion that AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm, or so several submitters reported. Newsforge has a story about various reactions to the worm, and reader nettdata sent in an interesting story about the worm becoming the main course at a dinner of security specialists.

4 of 472 comments (clear)

  1. increasing number of scans by kajoob · · Score: 0, Redundant

    I'm running blackice defender (i know, i know, real men run firewalls at the network layer) however I'm up to about 8-9 scans or my port80 every hour and it seems to be increasing.

    --
    Quidquid latine dictum sit, altum viditur
  2. Massive arp traffic by PoochieReds · · Score: 0, Redundant

    I just got home from work and saw the little light on my cable modem going nuts. I did tcpdump from my firewall box and I'm seeing MASSIVE amounts of arp traffic.

    Perhaps I'll call roadrunner and see about a refund for the crappy bandwidth I'm getting tonight ;-).

  3. Create a Good Virus? by nicoz · · Score: 1, Redundant

    Why not create a good virus to interact with Code Red and force it into a benign state?

    Is this possible?

  4. It's about time... by sfe_software · · Score: 0, Redundant

    I agree that cable users are causing the most damage from what I can see. I wish Road Runner (Time Warner Cable) would cut off port 80 as well. I'm logging thousands of attempts from other RR users on my firewall.

    My webserver is also logging in the hundreds, mostly from various cable and DSL users. Personally I think it would be nice if they could re-enable port 80 on request for those who actually need it, but unless you're a business customer, I would think blocking port 80 temporarily would be for the greater good...

    BTW, visiting most of the Road Runner IPs I'm logging, most of them don't have a page up at all. I get an IIS error about there being no "default" page... IOW, I suspect these users have no idea that they're even running IIS, much less that they're infected. Others show a page saying that too many connections are open (is this some sort of artificial limit in IIS, which depends on the license you've purchased, or is it actually an overload condition? Or an OS limitation?)

    It seems like the cable networks should let their users know (this could easily be automated: "Dear Customer, you are infected with Code Red, go here...")

    Besides, these people are killing my ping times in UT :)

    --
    NGWave - Fast Sound Editor for Windows