Question about codered worm

Martijn van Oosterhout kleptog at
Tue Aug 7 17:45:16 EST 2001

On Tue, Aug 07, 2001 at 05:04:35PM +1000, Sam Couter wrote:
> Not from what I can tell on our web servers. This second worm seems far more
> aggressive than the first one.

Well, since the beginning of the month there have been 45,000 unique IPs.
Just in the last hour 3,000. Talk about virulent!

> Because of the way the worm generates the random IP addresses to attack, the
> rate at which you get attacked will depend on how many hosts in your class B
> network block are also infected.

Well, 18,000 of those hosts began with 210.

> But, if the connection isn't being established because of your firewall,
> you're only getting SYN packets.

I realise that. Thank god.

> > - are we allowed to do smurf type attacks on offending machines to try to
> > disable thier IP stacks?
> Not legally (IANAL).
> However, I was wishing I had the know-how and the time to write something
> that responds with a payload that just shuts the machine down. That should
> keep them quiet for a short while. :)

As someone pointed out, the new version leaves a shell accessable through
the webserver. Now, if I knew how to fiddle the registry I'd just arrange a
program to disable IIS and shutdown any running server. If you could spread
this as a kind of counter-worm, we might be rid of it.

> > - from what I'm seeing, the general response from everyone is to ignore the
> > problem. Is this true or are people actually doing something?
> SecurityFocus are running a service where you send the IP address that
> attacked you and the approximate time, and they will notify the owners of
> that IP address. I can't find the email address to send your list of
> attacking IP addresses to at the moment. Have a look at
> if you like. I can't navigate the site.

Hmm, maybe I can make a script to parse the firewall logs and mail them a
list every hour :)
Martijn van Oosterhout <kleptog at>
> It would be nice if someone came up with a certification system that
> actually separated those who can barely regurgitate what they crammed over
> the last few weeks from those who command secret ninja networking powers.

More information about the linux mailing list