Re: [cobalt-security] The Code-Red Worm is attacking... GOD it's attacking.

[Gary Warner <gar@xxxxxxxxxx>]

> grep '\.ida' /var/log/httpd/access | wc -l
>
> > And it cut down the number to the true attempts - 247.
> > Still... sheesh.
>
> Where's the problem? I mean, 247 hits, in a not mentioned timespan -
> nothing new, right? We don't run Winslows boxes, so we don't have to
> care. Tell me when I am completely wrong there.

Um, actually the above is not accurate.  The worm attempts to hit
ANYTHING on port 80.  The payload is actually not delivered unless there
is a connection (duh).  However, it has been observed that the buffer
overflow string can cause certain Cisco servers to crash, as well as HP
print devices with a port 80 open, many DSL routers with a web interface
port,  and also Novell "Border Manager" software.  The code doesn't
replicate on these devices, but crashes are being observed.

Of course, as you said "Where's the problem?"  No one in their right
mind would expose a port 80 administration port to the "outside", which
would mean that attempts to hit a print device, Cisco server, or border
manager port on its http web administration port should bounce off your
firewall.  The problem is that many people are learning their firewall
doesn't block these things, and many others are learning why they should
have a firewall in the first place.

The fact that we are now upwards of 400,000 infected servers which are
being used as agents of attack is also troubling.  Our IDS system
reports that we've had over 5,000 attacks since 9:40 yesterday morning.

Analysis and some notes at:

   http://www.harshtruth.com/warnings.html

Sadly, there are close to 6 million IIS servers on the public Internet,
and the majority of these (any not patched since June 12th) are
vulnerable.

_-_
gar