Re: [cobalt-security] The Code-Red Worm is attacking... GOD it's attacking.

[Nick Drage <nickd@xxxxxxxxx>]

Hi,

Carrie Bartkowiak wrote:
> 
> On Thu, 19 Jul 2001 15:42:26 -0700 (PDT), shimi wrote:
> >>You can keep track of how many attempts to infect your machine had
> >>already
> >>been done at any given time, using this command:
> >>
> >>cat /var/log/httpd/access | grep .ida | wc -l
> 
> Ran the command, got 402.
> 402!!! Jaysus.
> Shimi where can I read more about this attack and what they're trying
> to do?

http://www.eeye.com/html/Research/Advisories/AL20010717.html

Is the original research piece, which is being corrected by some posters
to the Bugtraq mailing list, which you should be a subscriber of already
to be honest, web archive at SecurityFocus if you're not.

Note that, as a latter poster suggests, this attack is allegedly causing
problems with other web enabled devices, but please do be mindful of the
hysterial this worm seems to be generating, as it is being accused of
taking down any device that even thinks about listing on port 80 on any
interface ( Novell Bordermanager for chrissakes ).  Talking of hysteria:

> And just wait until Microsoft puts out XP - if you're not up on that,
> go to www.grc.com and read about it - full socket support; we're
> doomed. (Thanks to David Lucas for showing me the GRC attack page and
> M$ articles.)

For some alternative views on that please do refer to:

http://www.metastasis.demon.co.uk/gibson.html

Correspondence on this subject will not be entered into, especially on a
Cobalt RaQ mailing list :)

-- 
Nick Drage - Demon Internet - Security Architecture