We are seeing the probes being directed to *any* server, at random, regardless of thier DNS name. A side note, we've seen a 2000% increase in the past four hours of probes for the IDA vulnerability. All of them that I have investigated have had identical signatures, and appear to be actions of the "code red" worm. > -----Original Message----- > From: Colby Rice [mailto:criceat_private] > Sent: Thursday, July 19, 2001 1:29 PM > Cc: incidentsat_private; focus-idsat_private > Subject: RE: .ida Intrusion Attempt > > > Has anyone else noticed that it is only hitting www. servers? or am I > just lucky? I am getting many many attempts but ONLY on my > www.<whatever> servers I DO have servers with port 80 open to the > outside world that ARE NOT getting hit. from everything I have read on > this worm it is picking its IP's at random and if that is the > case then > I should have been hit on something OTHER then these (few) www. > servers.. > > (or am I missing something?) > > CR > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:16:48 PDT