Code Red PITA 
Author Message
 Code Red PITA

Our HP printers are apparently being attacked by both the first and second
code red variants.  I have installed both patches to both our servers and
have rebooted.  Still, occasionally we get a printer that spontaneously
prints out the text of the attack.
I don't know where they are coming from.  Code red detection software
indicates that we are secure from the code red worm, yet we still get these
printouts.  I find no indication that we actually are infected.
Is there a way I can trap these print requests to see where they originate
from?

--
Best regards,

Andy Mail



Sun, 25 Jan 2004 02:36:14 GMT  
 Code Red PITA
On Tue, 7 Aug 2001 11:36:14 -0700, "Andy Mail" <amail - at -

Quote:

>Our HP printers are apparently being attacked by both the first and second
>code red variants.  I have installed both patches to both our servers and
>have rebooted.  Still, occasionally we get a printer that spontaneously
>prints out the text of the attack.
>I don't know where they are coming from.  Code red detection software
>indicates that we are secure from the code red worm, yet we still get these
>printouts.  I find no indication that we actually are infected.
>Is there a way I can trap these print requests to see where they originate
>from?

>--

The packets still get sent out by somebody and sometimes you'll get
hit. Nothing you can do.

Unless you can get Firewall to filter them out - but imho this is not
easy as I presume you have web servers and of course you want incoming
users !!

Steve



Sun, 25 Jan 2004 12:14:52 GMT  
 Code Red PITA
So it would seem.
Have you got a useful suggestion?


Quote:

> > Our HP printers are apparently being attacked by both the first and
> > second code red variants.

> Your PRINTERS are accessible from the Internet???

> --
> Juergen Nieveler
> Support the ban of Dihydrogen Monoxide: http://www.dhmo.org/
> "The people united can never be ignited!"- Sgt. Colon, Ankh-Morpork Watch




Sun, 25 Jan 2004 23:41:01 GMT  
 Code Red PITA
Thanks.
Can you think of a way to trap the print command origin?  This would help me
identify if it's internal or external.


Quote:
> On Tue, 7 Aug 2001 11:36:14 -0700, "Andy Mail" <amail - at -

> >Our HP printers are apparently being attacked by both the first and
second
> >code red variants.  I have installed both patches to both our servers and
> >have rebooted.  Still, occasionally we get a printer that spontaneously
> >prints out the text of the attack.
> >I don't know where they are coming from.  Code red detection software
> >indicates that we are secure from the code red worm, yet we still get
these
> >printouts.  I find no indication that we actually are infected.
> >Is there a way I can trap these print requests to see where they
originate
> >from?

> >--
> The packets still get sent out by somebody and sometimes you'll get
> hit. Nothing you can do.

> Unless you can get Firewall to filter them out - but imho this is not
> easy as I presume you have web servers and of course you want incoming
> users !!

> Steve



Sun, 25 Jan 2004 23:41:51 GMT  
 Code Red PITA
On Wed, 8 Aug 2001 08:41:01 -0700, "Andy Mail" <amail - at -

Quote:

>So it would seem.
>Have you got a useful suggestion?




>> > Our HP printers are apparently being attacked by both the first and
>> > second code red variants.

>> Your PRINTERS are accessible from the Internet???

>> --
>> Juergen Nieveler
>> Support the ban of Dihydrogen Monoxide: http://www.*-*-*.com/
>> "The people united can never be ignited!"- Sgt. Colon, Ankh-Morpork Watch


*Firewall* and quick.

Perhaps (not flaming you), ISPs should start to become responsible for
certain security features before users connect to network

I mean, they should insist that IIS servers are patched to the latest
security level, and that users are aware of firewalls etc etc

In fact perhaps Windows ought to have some sort of Firewall built in.
On the other hand - nobody would trust it - so s{*filter*}that idea

Steve



Mon, 26 Jan 2004 05:56:14 GMT  
 Code Red PITA
Hi,

you may use security tools like :

NORMAN - NVC / NAC / Personal Firewall www.norman.com

NAI - VSC / Personal Firewall www.nai.com

eEye Iris vulnarabilty - access control www.eeye.com

NetworkIce BlackIce Vulnarability Tools & Firewall www.networkice.com

you may also use a corporate firewall [www.nai.com ( Gauntlet )] and a
corporate antivirus sw for your network and make all always up-to-date...
( do not forget the trojans too )

is this enough ?? NO :((

you may also install ALL SPs ( Service Packs ) and PATCHES of your installed
OS and aplications; and get them all always up-to-date...

How about insiders ?? You may also take care of this point...

Good luck...

Orhan



Quote:
> Our HP printers are apparently being attacked by both the first and second
> code red variants.  I have installed both patches to both our servers and
> have rebooted.  Still, occasionally we get a printer that spontaneously
> prints out the text of the attack.
> I don't know where they are coming from.  Code red detection software
> indicates that we are secure from the code red worm, yet we still get
these
> printouts.  I find no indication that we actually are infected.
> Is there a way I can trap these print requests to see where they originate
> from?

> --
> Best regards,

> Andy Mail



Tue, 27 Jan 2004 22:51:03 GMT  
 Code Red PITA
Juergen,

FYI, I fixed our problem.  We were running IIS v3.0 patched to v4.0, which
apparently isn't the same as v4.0.  I downloaded and installed NT4 Option
Pack 4, which included IIS v4.0, now the problem is gone.

BTW, your photo is truly disturbing.  Do humanity a favor and don't ever
point it out to anybody ever again as long as you live.


Quote:

> > > Your PRINTERS are accessible from the Internet???

> > So it would seem.
> > Have you got a useful suggestion?

> A Firewall, of course.

> Crashing the printers is only a small nuisance compared to what people
> COULD do, considering that JetDirect includes a small FTP server (connect
> to it, and every file you upload will be printed).

> I guess most companies would not be amused to have 100 copies of the nice
> picture at www.goatse.cx printed out each morning ;-)

> --
> Juergen Nieveler
> Support the ban of Dihydrogen Monoxide: http://www.dhmo.org/
> "The people united can never be ignited!"- Sgt. Colon, Ankh-Morpork Watch




Wed, 28 Jan 2004 04:38:07 GMT  
 Code Red PITA
First disable web printing.


Quote:
> Our HP printers are apparently being attacked by both the first and second
> code red variants.  I have installed both patches to both our servers and
> have rebooted.  Still, occasionally we get a printer that spontaneously
> prints out the text of the attack.
> I don't know where they are coming from.  Code red detection software
> indicates that we are secure from the code red worm, yet we still get these
> printouts.  I find no indication that we actually are infected.
> Is there a way I can trap these print requests to see where they originate
> from?

> --
> Best regards,

> Andy Mail



Wed, 28 Jan 2004 05:26:44 GMT  
 
 [ 8 post ] 

 Relevant Pages 

1. Code Red worm and typed languages

2. C55aps10.exe Bombing every hour - Code Red?

3. Code Red

4. need code for red-black binary search tree

5. Fun with httpd logs and code red

6. Nimda/Code Red Log File Entries

7. about code red worm and its offspring...

8. Code.Red

9. visual works 3.1 image has segmentation fault on 2.4 kernel (red hat 8.0)

10. GNU Smalltalk 1.6.1 on Red Hat 5.2

11. Red Herring (was: Bitten by dynamic typing...)

12. red screen of death (pluggableTextMorph bug?)

 

 
Powered by phpBB® Forum Software