[NCLUG] Code Rainbow: New attack, MUCH nastier...
Michael Dwyer
mdwyer at sixthdimension.com
Tue Sep 18 13:21:29 MDT 2001
The information on this worm is still a little spotty. I'm still not
sure if there are actually two worms or just one. There are two
names, at least. Code Rainbow is one, something-starting-with-an-N
(heh) is the other one. Nimea? Something like that...
Anyway, it apparently moves via E-mail (Readme.exe), unsecured shares
(any share you can get to with a uname of "guest" and no password),
and also via IIS code-red-style propagation. This last one seems
to be the one that is trashing the net. At 10am, I had 3000 hits,
I've almost broken 5000, now, and my users are complaining about
network speeds. :(
If nothing else, everyone here who has a few extra IPs left over
might want to look into LaBrea to try to slow this thing down:
http://www.hackbusters.net/
Also, FRII is working to limit the effects of this attack on it's
customers by blocking compromised machines. They are a little
busy, though, as you might imagine. :)
----- Original Message -----
From: "Sean Reifschneider" <jafo at tummy.com>
To: <lug at lug.boulder.co.us>; <nclug at nclug.org>
Sent: Tuesday, September 18, 2001 10:59 AM
Subject: [NCLUG] Code Rainbow: New attack, MUCH nastier...
> Starting at around 7am mountain time this morning (you know, exactly a
week
> from last Tuesday at 9am eastern time) a new Code-Red-like worm has
started
> pounding the heck out of the network. It's interesting to note that
there
> wasn't really a ramp-up time, at 7:20am or so mountain time we just
> suddenly started getting pounded on at around 40KB/sec. New, around
2.5
> hours later it's up to 60KB/sec.
>
> They're calling it "Code Rainbow":
>
> http://www.newsbytes.com/news/01/170225.html
More information about the NCLUG
mailing list