Looks like code red , but not seeing the 3 hits per ip address, just one. May be due to the different FW logs, I use Firewall-1. We have had 30 attempts over that time against our website. As it was in the wild on Monday and about Wednesday was at 20,000 (according to SANS) I would expect the infection rate is nearer 100,000+ based on: 1) till 17 Jul 2001 06:00 GMT our logged attempts were in the 10's a day 2) Really kicked in at about 17 Jul 2001 06:00 GMT 3) We have had about 5000 attempts in the last 12 hours regards Dean -----Original Message----- From: Gillard, Paul [mailto:paul.gillardat_private] Sent: Friday, 20 July 2001 5:23 AM To: incidentsat_private Subject: HTTP connections In the past hour I've seen a dramatic increase in attempted connection to port 80 for all the IP's we own, none of which are web servers. I usually get about 1 a day but in the last hour I've had over thirty different IP's trying to connect and it looks like it's increasing (examples below). Has anybody any ideas on why this should increase so suddenly? Maybe attempts from "code red" infected machines? 24.14.236.44 aaa.bbb.ccc.73 1130 80 deny eth0:6 24.14.236.44 aaa.bbb.ccc.73 1130 80 deny eth0:6 24.14.236.44 aaa.bbb.ccc.73 1130 80 deny eth0:3 63.107.98.2 aaa.bbb.ccc.70 34296 80 deny eth0:3 63.107.98.2 aaa.bbb.ccc.70 34296 80 deny eth0:3 63.107.98.2 aaa.bbb.ccc.70 34296 80 deny eth0:7 65.42.206.68 aaa.bbb.ccc.74 2193 80 deny eth0:7 65.42.206.68 aaa.bbb.ccc.74 2193 80 deny eth0:7 65.42.206.68 aaa.bbb.ccc.74 2193 80 deny eth0 200.253.169.10 aaa.bbb.ccc.66 21999 80 deny eth0 200.253.169.10 aaa.bbb.ccc.66 21999 80 deny eth0:6 203.247.201.87 aaa.bbb.ccc.73 3582 80 deny eth0:6 203.247.201.87 aaa.bbb.ccc.73 3582 80 deny eth0:6 203.247.201.87 aaa.bbb.ccc.73 3582 80 deny eth0:2 217.88.174.72 aaa.bbb.ccc.68 3163 80 deny eth0:2 217.88.174.72 aaa.bbb.ccc.68 3163 80 deny eth0:2 217.88.174.72 aaa.bbb.ccc.68 3163 80 deny eth0:8 63.218.145.156 aaa.bbb.ccc.75 2684 80 deny eth0:8 63.218.145.156 aaa.bbb.ccc.75 2684 80 deny eth0:8 63.218.145.156 aaa.bbb.ccc.75 2684 80 deny eth0:1 204.210.242.171 aaa.bbb.ccc.67 1503 80 deny eth0:1 204.210.242.171 aaa.bbb.ccc.67 1503 80 deny eth0:1 204.210.242.171 aaa.bbb.ccc.67 1503 80 deny eth0:1 Paul Gillard System Administrator RadioScape Ltd. +44 (0)20 7317 3414 paul.gillardat_private ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmasterat_private This footnote also confirms that this email message has been scanned for the presence of computer viruses known at the time of sending. www.radioscape.com ********************************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 20:07:45 PDT