Since Saturday, Aug 11, 2002, Netrack has been filtering incoming
Code-Red and similar web-based attacks to protect customers from the serious
ramifications of Code-Red II. Regardless, all customers should take the
precautions listed below.
If you have a web server connected via Netrack, you may notice connections
to your web server that send no URL request and stay connected for about 5
minutes doing nothing until they time out. Those are Code-Red connections where the URL request packet has
been blocked. The access log entry in
Apache will look something like this:
192.168.160.81 - - [12/Aug/2001:16:31:11 -0600] "-" 408 -
DSL
Netrack DSL customers with client level access are
currently, and have always been, protected
from the Code-Red worm behind Netrack's DSL firewall. However, all customers
should take the following precautions to ensure their DSL Cisco modem is not
vulnerable to web-based attacks.
- Upgrade the Cisco CBOS firmware to version
2.4.2 or later.
- Disable the web service on the modem.
- Change the web service port from 80 to another number.
See the Netrack DSL configuration instructions for more information.
Windows 2000 and NT
All Windows 2000 and NT users should apply a service patch
provided by Microsoft to correct, and prevent future, code-red infections. IF
YOUR SYSTEM WAS INFECTED WITH CODE-RED II, YOU MUST REINSTALL WINDOWS
COMPLETELY. YOU HAVE BEEN INFECTED WITH CODE-RED II IF THIS FILE EXISTS ON
YOUR SYSTEM:
\inetpub\scripts\root.exe
For information on how to download and apply the Microsoft
service patch, check the Microsoft web site here:
Microsoft
code-red fix information
For more information on Code-Red and other security incidents,
see the SANS Emergency Incident Handler.
Call Netrack for additional assistance, 303-938-0188.
|
