Code Red Information

(Latest Revision 08/25/2001)

There's a new version of the Code Red worm.  Here are a few URL's for
reading about it:

http://www.incidents.org/diary/diary.php
http://www.dshield.org/codered.html
http://www.unixwiz.net/techtips/CodeRedII.html

http://www.caida.org/analysis/security/code-red/
http://dailynews.yahoo.com/h/nm/20010805/ts/tech_codered_dc_38.html
http://www.cert.org/advisories/CA-2001-19.html
http://www.cert.org/current/current_activity.html#CodeRed

This is older, more stable information on an assortment of prevalent
threats.

http://www.cert.org/current/current_activity.html#scans

-----------------------------------------

I've been following the Code Red news, and I have a couple of things
to relate.

First since Code Red mutated in a manner that allows hackers to gain
"root" access, we need to keep in mind the possibility that gabara has
been compromised in a way that allows a hacker to return to it and
gain complete control over it.

Probably we should keep it turned off, and wipe it clean at the
earliest convenience.

Second, the local network in the CS Dept has been experiencing pretty
frequent interruptions for several days now.  The news about Code Red
suggests that some of this could be caused by ARP request floods from
compromised machines as well as the port 80 probes.  I don't have more
than sketchy information about this, but it seems clear now that we
have to consider the possibility that we are experiencing general and
serious network slowdowns due to Code Red.

This URL:

http://www.incidents.org/react/code_redII.php

gives information describing how to test for current vulnerability,
fixes, and recent modifications to the form of the attack.

-----------------------------------------