Follow-up.. [00.00 EST, 04.08.2001; 11.35 EST 03.08.2001 to now (release).] I just spent 20-30 mins doing a basic tweak of the CodeRed worm. I need now a known faulty IIS server (or list thereof) preferably with admin to track the success of the process. The tweaked code basicly fixes a couple flow sequences, sends a packet to a loggerbox, and then utilizes the worm's capabilities for distribution and neutralisation... I would like to test this (mostly to ensure box isnt eliminated if it might still have the capacity to do something else) on a known target quickly, so if anyone has a suitable simulation target, please contact me directly. Obviously, we need to confirm the successful operation, and ensure it does indeed stall the codeRed process... If anything, this will merely head off any not-yet-bothered servers, but will at least lock out the old codeRed worm from further propogation. I may be inclined to construct a more advanced derivative (As this code is SEVERELY horrible, CR could be done successfully in half the weight) which would allow shutdown of targets within the faulty M$ servers and other various hostiles, though not a high priority in any regard. Is there value/worth for this? ... Also, would like to allow for accurate logging, so need a target box which can accept connections for monitoring, caida/etc as others have suggested would be ideal, though contact is required with/from them or another party. I have some basic scripts which can be used to clean out any originating server, basicly 5 line pump scripts for perl to feed the cleaner worm back to the noisy server. This is a quick fix, but will at least quiet down the adverse and excess traffic and noise... It is self-limiting, and will not propogate from previously-cleaned boxes. So, if we can have a couple targets and ensure it works, we can then help out this hastle effectively... I wouldnt mind a controlled simulation with mutual intent of both cleaning as well as simulation/analysis in the real world... We need this. Till someone's response with a target/etc :) -Wilfred Wilfred@Cryogen.com
participants (1)
-
Wilfred L. Guerin