Merit note URGENT: "Code Red" worm attacks require your immediate attention (fwd)

[Mark Szidik]

Yet another reason to not run a shitty OS....



---------- Forwarded message ----------
Date: Thu, 19 Jul 2001 19:37:10 -0400
From: Jeff Ogden <jogden@merit.edu>
To: Inform Group for MichNet Outages <michnet-inform@merit.edu>, mjts@merit.edu,
     netdirect@merit.edu
Cc: staff@merit.edu
Subject: URGENT: "Code Red" worm attacks require your immediate attention

The "Code Red" worm is causing serious problems across the world-wide
Internet including within MichNet.  Some users may experience network
slowdowns to the point that it appears that the network is down or
unusable.  The problems are serious and will require action on the
part of many individuals to resolve. Please review the following
information, pass it along to appropriate people within your
organization, and see that appropriate action is taken soon.

Merit is taking steps to control or lessen the problem and trying to
coordinate our work with others nationally and internationally.
However, it is not clear exactly what actions will lead to rapid
solutions and some solutions may themselves disrupt Web access to
some sites.

Merit will be blocking inbound access to port 80 at the LAN interface
on affiliate routers and member interfaces on backbone routers
(inbound access to the site is being blocked, this is outbound access
over the LAN interface). We will start with systems that have
relatively large amount of IP address space since these sites seem to
be having the most problems. We may not need to block sites with
smaller amounts of IP address space. Once port 80 blocking is in
place we will reenabling port 80 access for selected IP addresses
that are running Web or other servers that are not subject to the
"Code Red" vulnerability.

If your organization wishes to take its own actions to deal with
these problems rather than having Merit take action, please contact
the NOC by phone or e-mail to request that we not take action for
your network or that we reenable your network if we have already
blocked inbound access to port 80 (be sure to give us the name of
your network or the IP address of a system on your network). You
should also call the NOC if you have specific IP addresses or domain
names for which you wish to have us to reenable inbound port 80
access, while we leave blocking in place for other IP addresses.

You can get information about the "Code Red" worm from

      http://www.cert.org/incident_notes/IN-2001-08.html

Systems Affected

   --Systems running Microsoft Windows NT 4.0 with IIS 4.0 or
     IIS 5.0 enabled
   --Systems running Microsoft Windows 2000 (Professional, Server,
     Advanced Server, Datacenter Server)
   --Systems running beta versions of Microsoft Windows XP

If your organization is running any of the above systems, you need to
obtain a patch from Microsoft and get it installed as soon as
possible or you need to turn off the systems until you can install
the patch.

If you have questions about what is happening, contact the Network
Operations Center (NOC).  The recording that the NOC maintains will
be updated from time to time with more recent information. We will
post additional information via e-mail and on Merit's Web site
(www.merit.edu) as it becomes available.

If you have questions about what Merit is doing and what to talk to
me, Brian Cashman, or Fred Rowe, call the NOC, give them a phone
number where we can call you, and ask that one of us call you back.

    -Jeff Ogden
     Merit