On Tuesday 31 July 2001 21:31, Alfred Huger wrote: > Anyone seeing Code Red activity yet? When I came in tonight at 1 am I was told that there was no code red activity seen all night. Now (5:14EDT) I'm seeing dozens of connects per minute. If it grows at the rate it had previously, we are possibly looking at an another serious problem. Since the end of the last batch of scanning, I'm sure many infected hosts were rebooted because of crashing or some other reason (installing software/changing IPs/etc). After reboot they are no longer infected (because the virus wasn't spreading). Now that these systems, and possibly others that weren't infected the first time around, are getting infected and starting to scan. Chances are, anyone who hasn't applied the patch by now isn't going to. As another list went over, some vendors won't support thier product if you apply patches to the system that are not from them (I believe it was some web-banking software on IIS that was specifically mentioned). I don't take a dooms day attitute with Code Red, but it's clear it's going to continue to create problems to some degree. My company monitors many class C and B networks' firewall logs/IDS/network appliance reports/etc. We only monitor a tiny chunk of the internet as a whole. However, if I see this just on our clients' networks then the rest of the world has to be seeing it. Remember, it took several days last time before it got big. This time there are less systems for it to infect, but it has a bigger base number from which to spread. Without hard numbers, it's impossible to come up with even a guess at what the spread rate will be. Lets hope all the organizations who repost advisories as if they had anything to do with the discovery actually got threw to some people. Remember, the problem is people who have to hear about available patches to serious security problems on thier local news. Perhaps if major news networks and the AP would run a story on system/network admins that don't subscribe to security mailing lists we wouldn't have had such a problem. No flames were intended in this message. Don't misinterpret it that way and counterflame. -- Joseph Nicholas Yarbrough Information Security Analyst LURHQ Corporation ***NOTE*** These words and thoughts are my own, not my companies. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 07:33:38 PDT