Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Code Red : Any whitehouse.gov people around?

  • From: Laurence Berland
  • Date: Fri Jul 20 11:47:50 2001

If you read through eEye's disasm dump, you can find that it's hardcoded
to the ip of www1.whitehouse.gov, which I don't remember but ends in .91

On Fri, 20 Jul 2001, Dave Stewart wrote:

> 
> At 10:04 AM 7/20/2001, Mike Najarian wrote:
> 
> >Has anyone gutted an infected box to determine whether it's going to go for
> >         whitehouse.gov
> >         www.whitehouse.gov
> >or a hardcoded IP?
> 
> While there's incomplete information available in the standard places, it 
> appears to be a hardcoded IP.
> 
> I, along with many others, have null routed it.... Symantec's site claims 
> the IP address is no longer active at any rate.
> 
> It *appears* that from xx-20-xxxx through xx-28-xxxx, this thing will 
> attack that IP address... meaning that measures already in place will 
> minimize damage from the portion of the code that attempts to flood 
> 198.137.240.91.  Networks where 198.137.240.91 isn't blocked could see 
> network congestion, I suppose, if they host a large number of infected 
> machines.
> 
> I've seen a claim that if the date is greater than 28, the threads just go 
> into an infinite sleep.
> 
>  From what I can see, I would expect another round of probes to take place 
> starting on 01-August-2001...
> 
> 
> 

Laurence Berland
http://www.isp.northwestern.edu





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.