I can correlate what Kelly reports -- *something* happened between 14-1500 GMT today to drastically increase the number of 'code red' scans/infections. I've been tracking them since Saturday on my IDS. Our class-b address space appears to be high up on the worms scanning pattern. For all of 7/18 I recorded probes from 8247 unique host IP addresses, presumably compromised with 'code red'. Just during the 1900GMT hour today - one hour of logs - I recorded 'code red' hits from 115124 different IP addresses. All of these probes are bouncing off our firewall. The drastic increase in infections/probes began between 1300- 1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT. Ken Eichman Senior Security Engineer Chemical Abstracts Service Tel: (614) 447-3838 ext 3230 2540 Olentangy River Road Fax: (614) 447-3855 Columbus, OH 43210 Email: keichmanat_private > From: Kelly Martin <kellymat_private> > To: "'Mike Brockman'" <phubuhat_private>, bugtraqat_private > Subject: RE: 'Code Red' does not seem to be scanning for IIS > Date: Thu, 19 Jul 2001 17:21:06 -0500 > Our principal web server (which services some 50-odd virtual domains) has > taken over 500 hits from "Code Red" worms since around 10am today. It runs > Apache, so it doesn't present a security risk, but it is tending to annoy > our already-overloaded network pipe (we have four Class C's squeezed into > one T1 line). Prior to today at around 11am there is no record in our > logfiles for that server, which go back to 10 July. > > Our servers all started to see hits at about the same time, around 10 am > central time. Two of them, NT 4.0 SP6a systems with IIS 5, died, one > repeatedly, before we figured out what was going on. The attacks come from > widely variable hosts (no discernable pattern). I've tracked nearly a > thousand hits on our IP block in the past six hours or so with none before > that, and that doesn't even count the ones that smacked silently against the > firewall (port 80 is only open through the firewall to hosts that actually > run public web servers, which is only a tiny fraction of the IPs in the > block). > > My cable modem has also started to get hit today, for the first time as far > as I know, as has our off-site ecommerce server. I suspect that this is a > fresh launch, possibly with a modified code base from the original Red Code > worm. > > Kelly Martin > American Farm Bureau Federation
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 17:43:18 PDT