[Snort-users] Code Red attacks

Franki franki at ...2492...
Tue Sep 18 02:03:04 EDT 2001


RE: [Snort-users] Code Red attackscouldn't we just write an upload a bat
file for the server to run ???

ie: update.bat

ftp www.update.microsoft.com/yada/yadda/yadda

get /updates/something/iisupdate.exe

c:\somewhere\iisupdate.exe

shutdown -r now #couldn't remember the windows version of that so I
substituted the *nix version,, you get the idea.

would that not work?? and since the patch gets downloaded from a MS server,
its less likely to get detractors...

you could also have it email the admin of the server, something to the
effect...


After hours of sustained requests from your server to one of ours,  our
server response has activated,, and has responded to YOUR servers REQUEST by
telling it to download the patch from microsoft... if you are reading this,
there is a good chance it was sucessful, and you are no longer suseptable to
Code red and its variants.
however, this does not exclude the possibility that sometime in the period
that you were infected, your server did not have "back doors" installed. you
should look into this and take the necessary steps.


I think thats a nice solution, and it makes it clear that the other server
requested the info, and that the patch was the response...(its just like
manually downloading stuff from the web, if you download a dodgy program and
install it, you can't blame the guy who wrote it legally because he didn't
force you to install it.... you requested the download..... see what I mean?



rgds

Frank




  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jason Withrow
  Sent: Tuesday, 18 September 2001 8:33 AM
  To: 'Jason Withrow'; 'Greg Wright'
  Cc: snort-users at lists.sourceforge.net
  Subject: RE: [Snort-users] Code Red attacks


  I think we should write that.



  The world will be a better place.



  So the question now is how can we upload the patch?

  WE know that there will most likely be a cmd shell living in c, which has
been shared out thru IIS and has been given execute permissions by Code Red'
s infection process.



  I guess we would have to send a carefully crafted url response back,
passing parameters back to cmd.exe to invoke the ftp.exe???





  - Jason



  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jason Withrow
  Sent: Monday, September 17, 2001 8:23 PM
  To: 'Greg Wright'
  Cc: snort-users at lists.sourceforge.net
  Subject: RE: [Snort-users] Code Red attacks



  I like it.



  It makes complete sense to me.



  - Jason





  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Greg Wright
  Sent: Monday, September 17, 2001 7:56 PM
  To: 'snort-users at lists.sourceforge.net'
  Subject: RE: [Snort-users] Code Red attacks



  I liked the idea of configuring the server to return data to an exploited
system that will patch the hole, however the potential legality issues
frighten me, however I wonder...

  Isn't it possibly a little convoluted in that the exploited system that
you are 'putting' data on is actually requesting *something* from your
server initially. The action of 'putting data' is the serving of a request
initiated by the infected system.

  If you were to put data on your web server system that stops CodeRed, and
an affected box attempted to scan for and pass a request to your server,
then the data that it passes back was not sent directly, but sent in
response to a request.

  What is the general opinion on this?

  Regards,
  Greg Wright

  -----Original Message-----
  From: Erek Adams [mailto:erek at ...577...]
  Sent: Tuesday, 18 September 2001 8:22 AM
  To: Jason Withrow
  Cc: 'Gordon Ewasiuk'; snort-users at lists.sourceforge.net
  Subject: RE: [Snort-users] Code Red attacks

  On Mon, 17 Sep 2001, Jason Withrow wrote:

  > What is the legal issue, it is a purely defensive mechanism.

  Well...  I'm not a lawyer, but:  You're doing _something_ to someone elses
  machine--Uninvited.  That in and of itself can put you in a lot of legal
  hotwater, depending on the remote sites security policy.  Now, I'm not
arguing
  the morality of what you're doing, or what you intend to do, but the act
of
  accessing someone elses stuff without consent puts you into the same class
as
  a 'hacker' in a lot of corportate security policy eyes.

  Instead, "Do the Right Thing".  :)  Anyone from your local subnets, give
them
  a call.  Most of the CR{I,II,III} tend to target the local subnets over
remote
  ones.  A quick use of whois and traceroute will usually give you a fair
idea
  of where someone is at physically.

  Or simpler, block them at the router.  ;-)

  -----
  Erek Adams
  Nifty-Type-Guy
  TheAdamsFamily.Net



  _______________________________________________
  Snort-users mailing list
  Snort-users at lists.sourceforge.net
  Go to this URL to change user options or unsubscribe:
  https://lists.sourceforge.net/lists/listinfo/snort-users
  Snort-users list archive:
  http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010918/4f7d36cb/attachment.html>


More information about the Snort-users mailing list