Our principal web server (which services some 50-odd virtual domains) has taken over 500 hits from "Code Red" worms since around 10am today. It runs Apache, so it doesn't present a security risk, but it is tending to annoy our already-overloaded network pipe (we have four Class C's squeezed into one T1 line). Prior to today at around 11am there is no record in our logfiles for that server, which go back to 10 July. Our servers all started to see hits at about the same time, around 10 am central time. Two of them, NT 4.0 SP6a systems with IIS 5, died, one repeatedly, before we figured out what was going on. The attacks come from widely variable hosts (no discernable pattern). I've tracked nearly a thousand hits on our IP block in the past six hours or so with none before that, and that doesn't even count the ones that smacked silently against the firewall (port 80 is only open through the firewall to hosts that actually run public web servers, which is only a tiny fraction of the IPs in the block). My cable modem has also started to get hit today, for the first time as far as I know, as has our off-site ecommerce server. I suspect that this is a fresh launch, possibly with a modified code base from the original Red Code worm. Kelly Martin American Farm Bureau Federation > -----Original Message----- > From: Mike Brockman [SMTP:phubuhat_private] > Sent: Thursday, July 19, 2001 4:33 PM > To: bugtraqat_private > Subject: 'Code Red' does not seem to be scanning for IIS > > From what i read about the 'Code Red'-worm, it was supposed to be scanning > for IIS-servers. It obviously is'nt, i believe it tries to infect > everything they find on port 80, or something as simple as that. > > About three to four days ago, i started to get those default.ida-GET's in > my Apache-logs. I shut down the server as fast as i could, and checked for > outgoing connections from my computer, and then did some research. > I was told that it was an IIS-worm, and that it could'nt affect > Apache-servers, so i was safe. I turned the server back on, and from that > day i have received forty-one attempts. > > How can this be? Why am i getting so few attempts, if it is as eEye says > -- that every worm-instance has the same seed? > I should be getting tons and tons of tries, if the worm has been around > for this long. Or is it that my IP is high up in the "sequence", and not > many comes that far? If that is the case, the number should be increasing > fast in the near future, right? > > I'll come back with a report in a week or so. > > ________________________________ > m'name be mike brockman! jeeh! > _ooh,_und_dunt_feed_my_eskimoes_
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:02:12 PDT