[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Re: Code Red Special Effects (WAS: Hacking my Raq4i???)

Subject: [cobalt-security] Re: Code Red Special Effects (WAS: Hacking my Raq4i???)
From: "Michael J. Cannon" <mcannon@xxxxxxxxxxxxxx>
Date: Mon, 6 Aug 2001 16:08:55 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

1.  Code Red (older version) is portscanning the box.  This is NORMALLY not
a problem, since we are on Linux x86 boxen and the CR variants (thus far)
only affect W32 x86 boxen.  the 'xes' ar the 'payload.' harmless (for now).

2.  However:
     a)  if you have Frontpage extensions or the ChiliSoft! extensions
installed, you are running ISAPI filters and there is discussion in the vuln
groups that these will be susceptible to the newer variants and mutations of
Code Red.  Remove and disallow ALL FrontPage extensions.
     b)  if you are running what is commonly called a 'transparent proxy' or
filtering Port 80, there are currently discussions on the various lists as
to the fact that the proxies are bringing down servers as they are
overloaded by probes.  Hogwash (http://hogwash.sourceforge.net) seems to
help on server machines, but some DSL and cable modems, as well as Cisco 67x
routers, still seem to be susceptible, and connot be 'hogwashed' yet..  Turn
off Port 80 services/redirect Port 80 and install a strong firewall and
(possibly) a redundant drop-filter, such as Hogwash.

3.  Begin to monitor incidents.org and better educate yourselves.  Learn to
use nessus and snort and monitor the whitehat groups.  Submit your server
logs to dshield.org on a regular basis, using the processes and scripts on
their website.  Get a decent email and domain pre-scanner (make this
commercial, as you need to depend on the company to promptly issue new virus
and vuln sigs).

The variant that was quoted in the first thread is the older CR version.
The newer version inserts other characters and may be persistent (ie.,
require a box rebuild, in order to clean and audit the incident).  There is
currently talk that since the majority of 'probes' seems to be coming from
broadband home users, that there needs to be a function available on the
internet as a 'service' for the more professional sysadmins (ie., those
running secure, up-to-date OSes and webservers/server farms and
domains)similar to the MAPS or RTBHL to 'black hole' domains that have a
clueless user population.

Bottom line:  It looks like it is going to be an interesting
rest-of-the-summer.  Get smart, get knowledgable, get patched!  Keep up with
patches to Linux and other issues and learn how to patch your box without
Sun/Cobalt's help (since they STILL haven't submitted or listed a patch for
PHP WebMail, mySQL, mySQLadmin, Open-SSL, postgresql, officially released a
kerberos/SSH daemon or otherwise kept their other scripten/functions
up-to-date).  Otherwise, be prepared to spend mucho dinero on Sun/Cobalt
'Professional' Services, or find yourself and your customers 'blackholed'
from the majority of the Internet.

Michael J. Cannon
mailto:mcannon@xxxxxxxxxxxxxx

Follow-Ups:
- RE: [cobalt-security] Re: Code Red Special Effects (WAS: Hacking my Raq4i???)
  - From: Simon Wilson
- Re: [cobalt-security] Re: Code Red Special Effects (WAS: Hacking my Raq4i???)
  - From: Kevin D
- Re: [cobalt-security] Re: Code Red Special Effects (WAS: Hacking my Raq4i???)
  - From: Carrie Bartkowiak

Prev by Date: RE: [cobalt-security] Hacking my Raq4i???
Next by Date: RE: [cobalt-security] Hacking my Raq4i???
Previous by thread: [cobalt-security] CGI-BIN does not display in ftp? Weird security?
Next by thread: RE: [cobalt-security] Re: Code Red Special Effects (WAS: Hacking my Raq4i???)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index