Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Code Red seemingly on firewall (Re: Code Red on dial-in ppp)

  • From: E.B. Dreger
  • Date: Sat Jul 21 14:44:08 2001

> Date: Sat, 21 Jul 2001 10:40:47 -0400 (EDT)
> From: Mitch Halmu <mitch@netside.net>
> To: nanog@merit.edu
> Subject: Code Red on dial-in ppp
> 
> You may have received the following from codered@securityfocus.com

[ snip ]

One of our clients received said message noting that CR might be on
their Watchguard firewall -- which has no service listening on port 80.

Here's what I think happened:

* CodeRed infects IP addr 1.2.3.4 (some valid public IP)
* IP addr 1.2.3.4 is bound as secondary, with RFC1918 as primary
* Said server is behind NAT-providing firewall
* When infected server contacts the outside world, it uses the
  private IP, which the firewall then masquerades.

This client has several NT boxen behind their firewallo so who knows
which the culprit is -- or are.

Just an FYI that will hopefully help others who encounter similar
situations.


Eddy

---------------------------------------------------------------------------
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
---------------------------------------------------------------------------





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.