RE: Code Red, anyone?

From: Coen Bongers (CoBat_private)
Date: Wed Aug 01 2001 - 03:56:43 PDT

Next message: dave.goldsmithat_private: "CodeRed Activity"

Previous message: Jonathan A. Zdziarski: "RE: ftp scans and socks"
Next in thread: Information Security: "RE: Code Red, anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

I'm starting to see the first infection attempts to systems on the cable
modem netblock on my snort IDS at home.

(Funny, I can see all the traffic in mij neighbourhood on my cable modem
connection, is that normal?)  ;-)

Some relative info:

Snort 1.7 with standard rules, and the CodeRed additional rules.

										Source		Dest
#0-(6-107)  CodeRed Defacement 2001-08-01 09:44:58  211.205.83.13:2008
212.xxx.xxx.xxx:80  TCP
#1-(6-131)  CodeRed Defacement 2001-08-01 11:17:50  211.41.180.163:2566
212.xxx.xxx.yyy:80  TCP

Time is in GMT +1 and as far I can tell are the sources two closely related
Korean hosts
And a quick scan with the eEye CodeRed scanner (Thank you quys!!) is telling
me that both servers are to be considered vulnerable.

Is it starting, or am I just (un)lucky to see a couple???

take care,

Coen Bongers
Senior Network Engineer

Mobiel: 06-2001 7443
E-mail: CoBat_private


-----Original Message-----
From: Alfred Huger [mailto:ahat_private]
Sent: woensdag 1 augustus 2001 3:31
To: incidentsat_private
Subject: Code Red, anyone?




I realize that most of you have taken shelter and are awaiting the
impending demise of the Internet s we know it. However for those of you
stalwart bastions of courage who are still manning the ship in the face of
this clear and present danger, I have a question. Anyone seeing Code Red
activity yet?

I just took a poll through our sensors in ARIS and see almost no activity
at least none worth commenting on. Anyone else?


VP Engineering
SecurityFocus.com
"Vae Victis"


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: dave.goldsmithat_private: "CodeRed Activity"
Previous message: Jonathan A. Zdziarski: "RE: ftp scans and socks"
Next in thread: Information Security: "RE: Code Red, anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 07:38:49 PDT