[Snort-users] Code Red attacks

Erek Adams erek at ...577...
Mon Sep 17 17:34:02 EDT 2001

On Tue, 18 Sep 2001, Greg Wright wrote:

> I liked the idea of configuring the server to return data to an exploited
> system that will patch the hole, however the potential legality issues
> frighten me, however I wonder...
> Isn't it possibly a little convoluted in that the exploited system that you
> are 'putting' data on is actually requesting *something* from your server
> initially. The action of 'putting data' is the serving of a request
> initiated by the infected system.
> If you were to put data on your web server system that stops CodeRed, and an
> affected box attempted to scan for and pass a request to your server, then
> the data that it passes back was not sent directly, but sent in response to
> a request.
> What is the general opinion on this?

Well, this has been hashed out at length last month on
vul-dev at ...717...  I invite you to search the archives for what
others think...

But in short, IMHO it's a Bad Thing(tm).  If something else happens to the
server from your patch upload, then you are the one in the hotseat.  Yes, if
they can't patch a server, would they even notice you installing the patch?
Probably not.  But, if the corp IDS catches you and that IDS is owned by
someone else, your ass is in a sling.  "No, I didn't do anything wrong, I was
patching your server.  Well, yes I did upload code to it and reboot it, but I
was doing a good thing."  Big corps don't care.  They just want a scapegoat.

I for one, won't be a scapegoat. :)

Side note:  One topic of discussion was that CR uses blocking threads.  If you
configed a server or honeypot to hold the connection open you stop that
machine from infecting others.

Anyways, check out vul-dev for a lengthy discussion on this...

Erek Adams

More information about the Snort-users mailing list