Code Red v3 is out

I don't know which version of CodeRed is actually stricking but I have an unbelievable amount of log of IP's on my firewall (and to make sure I scanned some of them) trying to access the HTTP service on my PC (which isn't installed anyway) and they're almost all coming from 24.*.*.* which is mainly the cable modem address range. Not only that, but my cable modem receive light keeps flashing since yesterday and I'm almost sure it's that virus that cause it.

The most frightning thing is that all these IP I have in my log are in fact people who runs an unpatched version of IIS which are 100% vulnerable to other attacks. Since the virus only uses a known vulnerability from IIS, it means anybody can actually infiltrate one of these systems w/o the users even knowing it.

So if you happen to use IIS, BE CAREFUL AND DOWNLOAD THE PATCH ASAP!!!

I know what you mean FlipNET about the lights on your modem, mine have been the same way, and it is really annoying. If you are running a cable or DSL modem with an ethernet connection you may want to look into the linksys cabel/dsl router with hardwired firewall. It will help keep most of this stuff from hitting your software firewall and clogging your report logs. Yes this is all minimal protections, but it keeps most of the main stream stuff out.

I agree with your MobiusCo on the linksys router w/ integrated firewall. Some of my friends use it (4 port one) and it's a very very neat product! I'm in fact thinking to buy one soon. I use Symantec Personnal Firewall, which is quite good, but I would rather like to use an hardware solution so I wouldn't have to open my server for my other pc's to browser the web. And it would also spare me some precious resources by not running the firewall service

ok, everybody here is talking about two different things. now if you run a firewall, that is all find and dandy. but if you run a webserver behind a firewall, you have to punch a hole through the firewall to allow access from the internet to your webserver. so it doesn't matter if all these people are running a firewall and IIS, the problem is that they are running an unpatched version of IIS, that has a buffer overflow problem. if you don't run a webserver, or if you do and it is NOT IIS (apache, iPlanet), then you shouldn't worry. the code red (version 2, not 3 is out last i heard) attacks computers running windows NT and 2000 that are running unpatched versions of IIS 4 and 5. so if you are running one of those products, either turn off the IIS service, or install the patch.
code red also attacks certain cisco routers, but i am not sure if the newest code red affects them, or if it was only the first version.

www.symantec.com/avcenter/venc/data/codered.v3.html

here is a link to the one write up about the version three... And yes HeyYou I agree you always need to do the updates to protect yourself from the IIS and all other holes in the apps. That is why it is good to keep up to date on all patches, and developments. I thought it would be good to warn people about the new version release that hit the net yesterday.

HeyYou, no offense here but I think you misunderstood what we were talking about.

1. What we explained is CodeRed exploit a vulnerability in IIS which is due by an unsecured dll. Everybody that runs IIS *have* to patch their system. That's it. We never said people with Unix or Linus server should patch or that if your firewall blocks inbound/outbound connection on port 80 you should be concerned (although patching is still a good thing to do). Still, if a PC contaminated by CodeRed sends me an malformed HTTP GET request (outbound connection), then there's good chance that inbound connections are also permitted which means they effectively have a "full hole" in their security, firewall or not. So they're vulnerable.

2. The firewall discussion wasn't really related to CodeRed anyway. It was just a variation of the current thread

Again, no offense here. Just wanted to clear things up