[Snort-users] Code Red attacks

Tim Olson tolson at ...2439...
Tue Sep 18 07:21:02 EDT 2001

I personally don't have a problem wth your plan, but I sure understand
the viewpoint that others have about patching someone elses system.
I would suggest a lighter approach....

The server is requesting a file, you let it send one.
Make it a batch file or a a comand shell that just
runs a script that sends a windows POPup message to itself
noting that they are infected and would best have their
system professionally checked out.

Then, after it runs the script, clean up after youself
by removing the files you sent.

This way you're notifying them, but not patching them.


couldn't we just write an upload a bat file for the server to run ???
ie: update.bat
ftp www.update.microsoft.com/yada/yadda/yadda
get /updates/something/iisupdate.exe
shutdown -r now #couldn't remember the windows version of that so I
substituted the *nix version,, you get the
would that not work?? and since the patch gets downloaded from a MS
server, its less likely to get detractors... 
you could also have it email the admin of the server, something to the
After hours of sustained requests from your server to one of ours,  our
server response has activated,, and has
responded to YOUR servers REQUEST by telling it to download the patch
from microsoft... if you are reading
this, there is a good chance it was sucessful, and you are no longer
suseptable to Code red and its variants.
however, this does not exclude the possibility that sometime in the
period that you were infected, your server did
not have "back doors" installed. you should look into this and take the
necessary steps.
I think thats a nice solution, and it makes it clear that the other
server requested the info, and that the patch
was the response...(its just like manually downloading stuff from the
web, if you download a dodgy program and
install it, you can't blame the guy who wrote it legally because he
didn't force you to install it.... you requested
the download..... see what I mean?

     -----Original Message-----
     From: snort-users-admin at lists.sourceforge.net
     [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jason
     Sent: Tuesday, 18 September 2001 8:33 AM
     To: 'Jason Withrow'; 'Greg Wright'
     Cc: snort-users at lists.sourceforge.net
     Subject: RE: [Snort-users] Code Red attacks

     I think we should write that.


     The world will be a better place.


     So the question now is how can we upload the patch?

     WE know that there will most likely be a cmd shell living in c,
which has been shared out thru IIS
     and has been given execute permissions by Code Red’s infection


     I guess we would have to send a carefully crafted url response
back, passing parameters back to
     cmd.exe to invoke the ftp.exe???



     - Jason


     -----Original Message-----
     From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]
     On Behalf Of Jason Withrow
     Sent: Monday, September 17, 2001 8:23 PM
     To: 'Greg Wright'
     Cc: snort-users at lists.sourceforge.net
     Subject: RE: [Snort-users] Code Red attacks


     I like it.


     It makes complete sense to me.


     - Jason



     -----Original Message-----
     From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]
     On Behalf Of Greg Wright
     Sent: Monday, September 17, 2001 7:56 PM
     To: 'snort-users at lists.sourceforge.net'
     Subject: RE: [Snort-users] Code Red attacks


     I liked the idea of configuring the server to return data to an
exploited system that will patch the hole,
     however the potential legality issues frighten me, however I

     Isn't it possibly a little convoluted in that the exploited system
that you are 'putting' data on is actually
     requesting *something* from your server initially. The action of
'putting data' is the serving of a request
     initiated by the infected system.

     If you were to put data on your web server system that stops
CodeRed, and an affected box attempted to
     scan for and pass a request to your server, then the data that it
passes back was not sent directly, but sent
     in response to a request.

     What is the general opinion on this? 

     Greg Wright 

     -----Original Message----- 
     From: Erek Adams [mailto:erek at ...577...] 
     Sent: Tuesday, 18 September 2001 8:22 AM 
     To: Jason Withrow 
     Cc: 'Gordon Ewasiuk'; snort-users at lists.sourceforge.net 
     Subject: RE: [Snort-users] Code Red attacks 

     On Mon, 17 Sep 2001, Jason Withrow wrote: 

     > What is the legal issue, it is a purely defensive mechanism. 

     Well...  I'm not a lawyer, but:  You're doing _something_ to
someone elses 
     machine--Uninvited.  That in and of itself can put you in a lot of
     hotwater, depending on the remote sites security policy.  Now, I'm
not arguing 
     the morality of what you're doing, or what you intend to do, but
the act of 
     accessing someone elses stuff without consent puts you into the
same class as 
     a 'hacker' in a lot of corportate security policy eyes. 

     Instead, "Do the Right Thing".  :)  Anyone from your local subnets,
give them 
     a call.  Most of the CR{I,II,III} tend to target the local subnets
over remote 
     ones.  A quick use of whois and traceroute will usually give you a
fair idea 
     of where someone is at physically. 

     Or simpler, block them at the router.  ;-) 

     Erek Adams 


     Snort-users mailing list 
     Snort-users at lists.sourceforge.net 
     Go to this URL to change user options or unsubscribe: 
     Snort-users list archive: 

More information about the Snort-users mailing list