[Snort-users] Code Red attacks

Jason Withrow jwithrow at ...422...
Mon Sep 17 04:37:03 EDT 2001

What bother with the email.

Since CR installs a CMD Shell that is freely accessable, 
Write a script that write a text file to that users computer.

- Jason

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Gordon
Sent: Monday, September 17, 2001 7:01 AM
To: Peter Borner
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Code Red attacks

On Today, Peter Borner wrote:
>Does anyone have any suggestions as to how I can escalate this issue
>get the owners of the offending machines to clean up their act?

Hi Peter,

There are a few tools that will slow down, redirect, or block code red
probes.  Not sure how effective they are...I was lazy and just filtered
incoming code red probes via a dirty little script that updates ACLs on
Foundry switches.

Some links/tools:

>I wrote one too, but in awk.  With a shell script add-on.  It's running
>on FreeBSD 4.3 with the following added to apache's httpd.conf:
>        CustomLog "| /path/to/coderedalert" common
>http://www.it.ca/software/coderedalert - build the email
>http://www.it.ca/software/ipcontacts - grabs contact emails for the IP

>I got my copy from http://www.dasbistro.com/default_ida_info.html
> For Apache, try Apache::CodeRed... available from http://www.cpan.org

> To download CodeRed Scanner go to:
> http://www.eeye.com/html/Research/Tools/codered.html

>CCO official release on blocking code red w/ IOS NBAR -

>There is a useful document at: http://www.incidents.org/diary/diary.php
>which offers an explanation of what CRII does and some useful ways on
>we can stop it eg by filtering at transparent caches etc - worth a



Gordon Ewasiuk, Certifed Sun Fanatic,  Winstar VHC
The REAL office number is here----->  703.893.4901
Tired of BSODs, My Computer, and Code Red?
  3:50am  up 1 day(s), 19:41,  1 user,  load average: 1.09, 1.15, 1.20

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list