Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
- To: <EMAIL:PROTECTED>
- Subject: RE: [MLUG] CodeRedII - there's a variant now - READ THIS
- From: "Deterding, Brent D" <EMAIL:PROTECTED>
- Date: Wed, 8 Aug 2001 12:01:26 -0500
- Reply-To: EMAIL:PROTECTED
- Sender: EMAIL:PROTECTED
- Thread-Index: AcEgKwEQ6BSmfMFcT/GZmb7MATrGXAAAJ81Q
- Thread-Topic: [MLUG] CodeRedII - there's a variant now - READ THIS
incidents.org is still talking about CR II and I believe it would wait
for it. It uses nonblocking sockets.
300 threads work simultaneously and go after the same class A
3/8th, B 4/8th, and random 1/8th of the time.
Because they work in paralell if one thread is stuck waiting 299
are still going at other IPS.
CodeRedNeck poses as MANY IPs; so it might tie up 50 threads or
more.
This significantly slows down the spread.
-- Brent
-----Original Message-----
From: Ross, Matt [mailto:EMAIL:PROTECTED]
Sent: Wednesday, August 08, 2001 11:50 AM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] CodeRedII - there's a variant now - READ THIS
The description of it on incidents.org seemed to indicate that if you
did
tie it up with Code Redneck, it wouldn't wait for it. If it's not
waiting
for it, what good is Code Redneck?
-----Original Message-----
From: Deterding, Brent D [mailto:EMAIL:PROTECTED]
Sent: Wednesday, August 08, 2001 10:05 AM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] CodeRedII - there's a variant now - READ THIS
Nah - CodeRedNeck still works just fine. The variant makes the patch
worthless. IF you have the variant.
-----Original Message-----
From: Ross, Matt [mailto:EMAIL:PROTECTED]
Sent: Wednesday, August 08, 2001 8:17 AM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] CodeRedII - there's a variant now - READ THIS
This makes "Code Redneck" worthless.
"To aid performance, the worm uses a nonblocking socket to connect
to each target. Specifically this means that if one thread is
stuck waiting for a slow connection to a particular target,
the wait will not slow down the rest of the threads from continuing
their scanning function."
-----Original Message-----
From: Deterding, Brent D [mailto:EMAIL:PROTECTED]
Sent: Tuesday, August 07, 2001 10:09 PM
To: MLUG Members (E-mail)
Subject: [MLUG] CodeRedII - there's a variant now - READ THIS
Hey all,
We're in INFOCON ORANGE now
Just FYI there's a CodeRedII variant that circumvents the patch.
It's nasty. Just like CRII except it trojans something else and I'm not
sure what.
There's no documentation for it yet, but trust me its there. It
hit Asia first but it IS in the US now.
You ever see what this thing can do to an Active Directory
server? AAAAAAHHHHHHH my brain hurts.
Major ISPs are hurting BAD right now, as are most big companies.
watch www.incidents.org for more information.
Anyone want to take bets on the next version?
I'll bet we'll see selectable targets
Followed by atttacking the root name servers
^^^^^^^^^^^^^^^^^^^^^ <--
nasty!
-- Brent
PS - I don't mean to sound like a doomsday prophet; but I spent all day
watching several class A's crumble with this.
--
To manage your subscription, go to
http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
--
To manage your subscription, go to
http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
--
To manage your subscription, go to
http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
--
To manage your subscription, go to
http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact