A network cable that fell out of the back of the computer...it has since been replaced...

SORRRRRREEEEEEEEE

Jeff Shain
WebMaster
http://www.foundrymusic.com

<img src="http://members.aol.com/sabanj666/ass.gif">

lol, it's always the last thing you look for.

Example...

For the longest time I would wake up with blood all over the sheets and my dick...I went to the doctor, no one could figure it out...

Just every morning, without warning, blood on the sheets, blood on my dick...

You know what it was?

The baby has grown its first tooth.

It's always the darndest things!

<img src="http://members.aol.com/muldermanx/images/tardpower2.gif">
This Sig is Temporary, while the REAL 1000 Post Spectacular Sig is Pending Litigation.

We got hit with this today...




The following information was researched by Ryan Permeh (ryan@eeye.com and
Marc Maiffret (marc@eeye.com of eEye Digital Security.
We would like to specially thank Matthew Asham of Left Coast Systems Corp
and Ken Eichman of Chemical Abstracts Service for providing us with logs and
needed data to make this analysis possible.

Introduction
------------

On Friday July 13th we received packet logs and information from 2 network
administrators that were experiencing large amounts of attacks targeting the
recent .ida vulnerability that eEye Digital Security discovered


>From the first analysis of the logs that were sent to us we were able to
deduce that in fact it looked as if someone had released a worm for the .ida
vulnerability. Within the logs we could see connection attempts from over 5
thousand IIS 5 web servers targeting various other IIS web server and
sending a .ida exploit to each of them. Evidence also showed that
compromised hosts were being used to attack other hosts.

We've designated this the .ida "Code Red" worm, because part of the worm is
designed to deface webpages with the text "Hacked by Chinese" and also
because code red mountain dew was the only thing that kept us awake all last
night to be able to disassemble this exploit.

Details
-------
Note: Details are going to be short for now. We plan on releasing a full
analysis of the worm but felt that it was important to get this message out
ASAP as this worm is starting to affect a lot of people.

The standard injection vector is a exploit that uses the .ida buffer
overflow to execute code (as SYSTEM) on vulnerable remote systems.

The worm performs the following on infected systems:
* Spawns 100 threads which are used to scan for new IIS web servers to
infect
* Checks for the existence of c:
otworm and if it is found then it does not
try to propagate itself to other hosts.
* Defaces web pages with the message:
<head><meta http-equiv="Content-Type" content="text/html;
charset=English


Welcome to http://www.worm.com !

Hacked
By Chinese!</hr></bady>

Analysis
--------
Note: Again this is a quick brief analysis, more detail will follow.

Upon infection the infected host will spawn 100 threads in a loop. This loop
checks for the existence of c:
otworm and if the file does not exist then
the worm will proceed to start scanning for vulnerable servers to infect.

The worm does scan for random IP addresses. However, the worm uses the same
seed for "randomization" of IP addresses. This means that each new infected
host will start at the same IP and continue scanning further down the same
track of IP's as every other infected host. The ramifications of this are
severe because this means that hosts early in this "randomized" IP sequence
will be hit over and over as new hosts are infected. This creates the
potential for a denial of service against early IP addresses in the
sequence. Also, evidence has proved that hosts can be infected multiple
times therefore creating a drain on system resources. However, normal worm
operation seems to have a cut off point as to how many times a host will be
re-infected. Early analysis seems to suggest that the worm has a limit of 3
reinfections however that may have just been "by chance" in our test
scenario.

Other in house tests of the infections have shown that internal thread rate
limiting seems to be broken in certain situations. Which means that some
infected systems will continue to spawn new threads until system resources
become so low that the entire web server computer crashes or becomes
unusable.

Summary
-------
We will be releasing a full detailed analysis, complete with disassembled
worm code and comments within the code.

We have had reports from a few network administrators that their IDS systems
have seen this .ida attack originating from over 5 thousand unique source
addresses within a 3 day time span.

Hosts early in the IP sequence will be hit with a traffic based denial of
service and

I think I'm going to throw up.

But anyway, finally it's up! I noticed it went down again a couple times, but i don't know whether it's related to that computer worm dealie.

<IMG SRC="http://home.att.net/~sunndoggy8/sunnysig1.jpg" width=300 height=80>

<font color="#0F00CD">~~~~"Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come."--Matt Groening~~~~</font color="#0F00CD">

The board keeps working for a minute and then going out for another minute. I demand results!

<IMG SRC="http://home.att.net/~sunndoggy8/sunnysig1.jpg" width=300 height=80>

<font color="#0F00CD">~~~~"Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come."--Matt Groening~~~~</font color="#0F00CD">

I think you should spend less time on this problem and more time enjoying what may be my best post ever. ::points up::

<img src="http://members.aol.com/muldermanx/images/tardpower2.gif">
This Sig is Temporary, while the REAL 1000 Post Spectacular Sig is Pending Litigation.

lol...technical stuff....we're looking cool now...10 hours and no problems...ive been up all night monitoring it...it's 6:09 AM...looks like we're good...

Jeff Shain
WebMaster
http://www.foundrymusic.com

<img src="http://members.aol.com/sabanj666/ass.gif">

Hey Jeff, looks like you're not alone....

Code Red Worm Virus Aims At White House Web Site

<a href=https://www.safeweb.com/o/_o(410):_win(1):http://dailynews.yahoo.com/h/nm/20010720/ts/tech_codered_dc.html>Full Story Link Here</a>

________________

<CENTER>
<img src="https://www.safeweb.com/o/_o(410):_win(1):http://crankyass.homestead.com/files/welles.jpg" width="100" height="100">
Find me a jury...

Read My Column, Kickin Ass With FoundryMusicAntD on <a href="https://www.safeweb.com/o/_o(410):_win(1):http://www.foundrymusic.com/">FoundryMusic.com</a> , the most difficult site to navigate on the net.

[INSERT CORNY SONG LYRICS OR WACK ZANY QUOTE HERE]
</CENTER>


This message was edited by Cranky Ass on 7-20-01 @ 10:25 AM

Bastards. I pour all my creative genius into a post and I get no love. See if I don't molest your children now. JUST WATCH.

<img src="http://members.aol.com/muldermanx/images/tardpower2.gif">
This Sig is Temporary, while the REAL 1000 Post Spectacular Sig is Pending Litigation.

P,
Are we feeling a little insecure today?;)

"Shooting someone is not recognized as an art form, hopefully this will change"- some guy

The ramifications of this are severe because this means that hosts early in this "randomized" IP sequence
will be hit over and over as new hosts are infected.

Of course! all you have to do is reprogram the database with the rpg files dos. Yeah sure, you still have to reorginized the main frame mother board, but that takes 20 minutes when you're using microsoft power gram v8.2 . This is like a total 5th grade project. duhh i bet youre still running on ProDos 2000 v5.3 . jeez man you're totaly outdated.

j/k dude thanks for caring enough to keep us running! Jeff rocks. Thank You.

http://members.aol.com/slipknot4twenty/rfsig3CYA!

PanterA, I totally agree with you...dot com.

<IMG SRC="http://home.att.net/~sunndoggy8/sunnysig1.jpg" width=300 height=80>

<font color="#0F00CD">~~~~"Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come."--Matt Groening~~~~</font color="#0F00CD">

Best post ever? How can we mere mortals pick a best -- they're all gold!

Pootertoot IS God.


How come my post count is missing?

sunndoggy8, inside jokes rule dot org

http://members.aol.com/slipknot4twenty/rfsig3CYA!

oh nothing 1.3 megapixel

http://members.aol.com/slipknot4twenty/rfsig3CYA!

Why whatever do you mean PanterA critical error on application?

<IMG SRC="http://home.att.net/~sunndoggy8/sunnysig1.jpg" width=300 height=80>

<font color="#0F00CD">~~~~"Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come."--Matt Groening~~~~</font color="#0F00CD">

Clock reset (Top)











Steamrolling toward 1,000 posts