RE: .ida Intrusion Attempt

From: Tulchinskiy, Sasha (STulchinskiyat_private)
Date: Thu Jul 19 2001 - 11:19:30 PDT

  • Next message: Arthur Donkers: "Anyone interested in full tcpdump trace of a Code Red breakin ?"

    That is not correct (unfortunately).
    We have servers attacked with URLs other than www.something...
    
    -----Original Message-----
    From: Colby Rice [mailto:criceat_private]
    Sent: Thursday, July 19, 2001 1:29 PM
    Cc: incidentsat_private; focus-idsat_private
    Subject: RE: .ida Intrusion Attempt
    
    
    Has anyone else noticed that it is only hitting www. servers? or am I
    just lucky? I am getting many many attempts but ONLY on my
    www.<whatever> servers I DO have servers with port 80 open to the
    outside world that ARE NOT getting hit. from everything I have read on
    this worm it is picking its IP's at random and if that is the case then
    I should have been hit on something OTHER then these (few) www.
    servers.. 
    
    (or am I missing something?)
    
    		CR
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:19:25 PDT