RE: .ida Intrusion Attempt

From: Keith.Morgan (Keith.Morganat_private)
Date: Thu Jul 19 2001 - 10:58:25 PDT

  • Next message: Tulchinskiy, Sasha: "RE: .ida Intrusion Attempt"

    We are seeing the probes being directed to *any* server, at random,
    regardless of thier DNS name.  A side note, we've seen a 2000% increase in
    the past four hours of probes for the IDA vulnerability.  All of them that I
    have investigated have had identical signatures, and appear to be actions of
    the "code red" worm.
    
    
    > -----Original Message-----
    > From: Colby Rice [mailto:criceat_private]
    > Sent: Thursday, July 19, 2001 1:29 PM
    > Cc: incidentsat_private; focus-idsat_private
    > Subject: RE: .ida Intrusion Attempt
    > 
    > 
    > Has anyone else noticed that it is only hitting www. servers? or am I
    > just lucky? I am getting many many attempts but ONLY on my
    > www.<whatever> servers I DO have servers with port 80 open to the
    > outside world that ARE NOT getting hit. from everything I have read on
    > this worm it is picking its IP's at random and if that is the 
    > case then
    > I should have been hit on something OTHER then these (few) www.
    > servers.. 
    > 
    > (or am I missing something?)
    > 
    > 		CR
    > 
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:16:48 PDT