[Snort-users] Code Red attacks
erek at ...577...
Mon Sep 17 17:34:02 EDT 2001
On Tue, 18 Sep 2001, Greg Wright wrote:
> I liked the idea of configuring the server to return data to an exploited
> system that will patch the hole, however the potential legality issues
> frighten me, however I wonder...
> Isn't it possibly a little convoluted in that the exploited system that you
> are 'putting' data on is actually requesting *something* from your server
> initially. The action of 'putting data' is the serving of a request
> initiated by the infected system.
> If you were to put data on your web server system that stops CodeRed, and an
> affected box attempted to scan for and pass a request to your server, then
> the data that it passes back was not sent directly, but sent in response to
> a request.
> What is the general opinion on this?
Well, this has been hashed out at length last month on
vul-dev at ...717... I invite you to search the archives for what
But in short, IMHO it's a Bad Thing(tm). If something else happens to the
server from your patch upload, then you are the one in the hotseat. Yes, if
they can't patch a server, would they even notice you installing the patch?
Probably not. But, if the corp IDS catches you and that IDS is owned by
someone else, your ass is in a sling. "No, I didn't do anything wrong, I was
patching your server. Well, yes I did upload code to it and reboot it, but I
was doing a good thing." Big corps don't care. They just want a scapegoat.
I for one, won't be a scapegoat. :)
Side note: One topic of discussion was that CR uses blocking threads. If you
configed a server or honeypot to hold the connection open you stop that
machine from infecting others.
Anyways, check out vul-dev for a lengthy discussion on this...
More information about the Snort-users