[NCLUG] Code Red Attacks & DSL Routers

Michael Dwyer mdwyer at sixthdimension.com
Thu Jul 19 15:15:42 MDT 2001 

A worm dubbed "Code Red" is in circulation right now.  Mostly
harmless to us, since it exploits unpatched ISS machines, but
it hits all IPs regardless (grep your httpd.error logs for
"default.ida" and check how many times you've been hit!)

The bigger problem is that the '?' in the request string
causes some DSL routers to lock up.  If you have one of these
routers, check this attached message regarding turning off
the web access.

----- Original Message -----
From: "Smith, Donald " <Donald.Smith at qwest.com>
To: "'jamesh'" <jamesh at cybermesa.com>; <intrusions at incidents.org>
Cc: <gordon at cybermesa.com>; "Mark Sanchez" <msanchez at cybermesa.com>
Sent: Thursday, July 19, 2001 2:08 PM
Subject: RE: Code Red Attacks


>
> login to your dsl router and type
>
> nsos>set web disabled
>
> nsos>write
>
> Now you've disabled the web interface and written it to cmos powercyle
it
> and test the web interface.
> For more information on this router goto:
>
> http://www.cisco.com/warp/public/794/cbos_login.html#6a
>
>
########################################################################
> From Joe Harris [cdi at thewebmasters.net]
> A notable side effect of this.. the worm signature is wreaking havoc
with
> Cisco 675, 677, and 678 DSL routers that have the Web Based
Configuration
> Interface enabled.
>
>   Ref BugTraq ID # 2012
>   http://www.securityfocus.com/vdb/bottom.html?vid=2012
>
> Any request which includes a question mark made to the Web Admin
Interface
> on these Cisco devices will cause them to lock up. I mention this only
> because I work tech-support at an ISP and the phones have been going
nuts
> this morning.
>
########################################################################
####
> #
> Donald.Smith at qwest.com IP Engineering Security
> 303-226-9939/0688 Office/Fax
> 720-320-1537 cell
>
> > -----Original Message-----
> > From: jamesh [mailto:jamesh at cybermesa.com]
> > Sent: Thursday, July 19, 2001 1:56 PM
> > To: intrusions at incidents.org
> > Cc: gordon at cybermesa.com; Mark Sanchez
> > Subject: Re: Code Red Attacks
> >
> >
> > I work for a large multi-state ISP. DSL seems to be effected
> > by Code Red.
> > Talking to our DSL provider (Qwest) they indicate due to the
> > traffic these
> > probes produce, either the websites users are trying to go to is
being
> > heavily probed or the DSL system (routers) itself, causing a DoS.
Can
> > anyone give me Cisco syntax for an ACL to block this ?
> >
> > James Edwards
> > jamesh at cybermesa.com
> > At the Santa Fe Office: Internet at Cyber Mesa
> > Store hours: 9-6 Monday through Friday
> > Phone support 365 days till 10 pm via the Santa Fe office:
> > 505-988-9200 or Toll Free: 888-988-2800
> >
> >
>

More information about the NCLUG mailing list