[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] The Code-Red Worm is attacking... GOD it's attacking.

At 09:53 AM 7/20/2001, you wrote:

On Fri, 20 Jul 2001 09:00:44 +0200, Andre Bonhote mumbled something
like:
>>Sorry to be teacherish, but why the two pipes? I mean
>>grep '\.ida' /var/log/httpd/access | wc -l
>>does the job. Just quote the period and it's not a regexp anymore.

Don't apologize for being teacherish; it helps!
I piped it twice because Shimi piped it twice, and to be honest I
didn't know it could be written the way that you did it. I thought
that to look through a file you had to 'cat' or 'head' the file and
pipe the output through grep.
*sheepish look*
I know now, though! Thank you!

>>Where's the problem? I mean, 247 hits, in a not mentioned timespan
>>nothing new, right? We don't run Winslows boxes, so we don't have
>>to
>>care. Tell me when I am completely wrong there.

Well from reading some of the URLs posted, I learned that infected
boxes start scanning the same first IP and then generate a set of
random IPs to scan based off of that one. For each instance of the
worm the infected machine runs 9 threads (10 if it's not an english
machine) looking to infect other machines, and many machines end up
scanning the same IPs over and over. They re-infect each other,
causing more instances of the worm and threads...scanning the same
IPs...
Actually I think the articles say they run 100 threads and that number 100 is reserved to see if the machine uses the English (US) language. If not then that one tries to find other machines also. It also does not say this will all stop after the 20th. It says after the 20th it will try and contact the old Whitehouse IP address and if it connects it will do it's thing. Thus when we get to the 1st of August this may all start again. 



And it just means a major rise in hits to our servers if we get into
the random IP generation. These wasted hits will skyrocket our
bandwidth and could (if there were enough of them) effectively
provide a denial of service to our machines simply from the mass
traffic.  I realized,  after I wrote that, that the 247 hits was from
the entire day (since I was looking through the access log that had
been flushed out at 4:01 am) rather than just one hour, which was my
original thought process.
The random IP generator seemed to always start with the same IPs before really becoming random. The thought process here is that maybe the originator of the worm was one of them and could see just how many machines had been infected. The fact that it started to grow was not unusal. It is just a factorial. 5 machines each get 5 which each get 5 which get 5, you know 5*5*5*5 etc you know it goes from 5 to 25 to 125 to 625 to 3125 to 15625 and it gets bigger faster. It appears that eEye only started getting hit on Friday the 13th and it grew from there. They say about 500,000 tries per day and 196,000 infected by 3pm on the 19th of July 


So no, you're right, 247 wasted hits in one day (compared to one
hour) isn't much; but I worry because my IPs are getting into that
random generation. When someone sees what a failure the attack was on
whitehouse.gov (aiming directly for the IP rather than the FQDN
itself) they'll re-write it and make it better - already have, I
think, since the # of infected machines jumped massively between 4am
and noon yesterday - and so I worry that next month when this
rewritten thing rolls around again, I'm going to be offline simply
from wasted requests from infected machines - an effective denial of
service.

Am I off-base here, worrying too much?
247 for the day is not too bad, but how many IP addresses do you have on the machine. If you only have one you are better off. The more IPs you have on a machine, the more impact you will feel. If you had a block of say only 128 IPs, you would be around 32000, boy is this making your log files grow. 

And for those who have not read about it being found and taken apart
http://www.eeye.com/html/Research/Advisories/AL20010717.html