Code Red attack

[KimLeece]

I am hosting my own website at home behind a router and Sygate Firewall. The last two days I have been under attack from the Code Red worm. It doesn't seem to be getting through - Sygate is detecting and stopping it. Is there any way to actually stop the attack? Is there any chance it will eventually get through Sygate?
Any help greatly appreciated.

Kim Leece.

 

[jeffbouldin]

http://vil.mcafee.com/dispVirus.asp?virus_k=100142

Check out that link. It has some links to Mickysoft for some patches.

 

[KimLeece]

Thanks for the link. As far as I can tell from the Microsoft site I shouldn't be at risk as I am running XP with SP1 and all updates installed. On top of that I have a current update for PC -cillin which does real time virus scanning and checks the machine every night. I rebooted this morning as well. However - this is an ongoing attack - almost constant according to Sygate. Sygate keeps using an active response and blocking IP's for the maximum 10 mins - but as soon as it stops blocking there is another attempt. What I find very weird is that I thought this was an old worm - and nothing like this has ever happened before a couple of days ago - is this something new? Is anyone else having problems?

Kim Leece.

 

[KimberTech]

Just because it is old, doesnt mean it isnt still running around. Good news is, we know it is there and how to keep it out.

Sounds like you are ok... Kimber

The more I learn,I realize how much more there is to know!

 

[ChrisHirst]

What we are seeing is a new variant of Code Red without the bug that stopped the original worm working after 2001.

http://www.silicon.com/news/500013/1/3277.html?et=search

Chris.

Indifference will be the downfall of mankind, but who cares?

 

[KimLeece]

ChrisHirst - Yes, that seems to be it. Thanks.

Kim Leece.

 

[colindyas]

Hi Kim
Did you resolve your difficulties? I am getting the exact same Code Red warnings with Sygate PF. Unlike you I do not host a web service. The Sygate warning mode cripples my download times.
I recently installed XP & returned to using Sygate. On my old Win98 & OnTrack SysSuite firewall, this was never a problem.
Maybe the solution is to try another firewall with XP?

 

[manarth]

the only way to stop the attack is to contact the administrator of the machine which is launching the attack.

If it's repetitively from one IP address, or a shallow range, it's more than likely one particular user (who probably isn't aware that the machine is infected).

Reverse DNS the IP to find the ISP / the user's office, then contact them via email to report the problem.

Most ISPs will take action if you report the problem...and most users are grateful for the heads-up.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[KimLeece]

The attack on my system went on for a couple of months, and then it stopped. It never got through so it never did any damage - it's nice though not to see the pages of sygate security warnings anymore! The attacks came from a fairly wide range of IP's and when I tried to back trace them I couldsn't find out more than the machine was possibly in Holland. As for changing the firewall - maybe - but at least Sygate sees and stops the attacks, and that is exactly what it is supposed to do, so I am happy with it. It didn't seem to adversly affect other downloads although I don't use the machine in question to download much anyway. My website didn't seem to be affected in terms of speed or other things.

Kim Leece.

 

[colindyas]

Cheers All. I apprecite the help and advise.
No damage done so far, and Sygate does seem to be doing the job of keeping the attack out. I have back traced and am in process of contacting the relevant mail administrator. The origin seems to be at wanadoo (Fr) so as has been suggested i imagine that the server (otherwise respectable) was hijacked.
AS a result of proffing my system defences I also discovered an &quot;Open&quot; Port 5000 vulnerability (MS Universal plug N Play)I have since closed this.