From owner-freebsd-security Mon Aug 20 0:16:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 438FF37B406 for ; Mon, 20 Aug 2001 00:16:37 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) Received: by ING-mailhub; id JAA09493; Mon, 20 Aug 2001 09:18:30 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: RE: Code Red is from default setup Date: Mon, 20 Aug 2001 09:20:03 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: <98829DC07ECECD47893074C4D525EFC3115629@citsnl007.europe.intranet> X-MS-Has-Attach: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-TNEF-Correlator: Thread-Topic: Code Red is from default setup Thread-Index: AcEpSAnc5Lp5lDLWSn+x3WfR+lCZ+QAABxTw From: "Carroll, D. (Danny)" To: "Alfred Perlstein" , "Wilko Bulte" Cc: Importance: normal X-OriginalArrivalTime: 20 Aug 2001 07:19:58.0936 (UTC) FILETIME=[8507F580:01C12948] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It's been done, except it didn't reboot, but rather patched the box or removed the mappings (can't remember). Then it searched for other machines using the same IPsearch algorithm as Code Red. It wasn't released into the wild, tho, it was just a demonstration that I read about on another security list. -D -----Original Message----- From: Alfred Perlstein [mailto:bright@mu.org] Sent: Monday, August 20, 2001 9:13 AM To: Wilko Bulte Cc: Carroll, D. (Danny); freebsd-security@FreeBSD.ORG Subject: Re: Code Red is from default setup * Wilko Bulte [010820 01:53] wrote: > On Mon, Aug 20, 2001 at 08:50:57AM +0200, Carroll, D. (Danny) wrote: >=20 > This is *FreeBSD* security, not MickeySoft latest bugs.. Agreed. Although it would be amusing to detect default.ida requests and reply with a similar request the difference being that the reply one reboots/shuts-down the infected box. I'm suprised no one has suggested crafting such a tool. --=20 -Alfred Perlstein [alfred@freebsd.org] Ok, who wrote this damn function called '??'? And why do my programs keep crashing in it? -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message