Re: Code Red, anyone?

From: Michael Sullenszino (mikeszat_private)
Date: Wed Aug 01 2001 - 07:45:45 PDT

Next message: Thompson, John J: "RE: Code Red, anyone?"

Previous message: Pat Wilson: "Re: Code Red, anyone?"
Next in thread: Thompson, John J: "RE: Code Red, anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well, after emerging from the fallout shelter, I checked my NIDS for
three different companies' subnets.  Grand total: 48 instances of
CodeRed signature matches (coincidentally, 16 incidents per site).

<g>Well, thank goodness we brought in a third T1 to handle the stress.
</g>


Mike

On Tue, Jul 31, 2001 at 09:31:37PM -0500, Glenn Forbes Fleming Larratt wrote:
> Here at (unnamed-for-policy-reasons academic Class B) we've seen
> exactly one packet matching our Snort rule for IIS exploit attempts of
> the sort that include Code Red (from 195.219.102.44 in .de, FWIW).
> 
> We've also examined MRTG graphs of all our network and subnet links,
> paying particular attention to the turnover of 0000 UTC 1 August, and
> have observed no anomalies in traffic flows that would indicate either
> widespread infection or DDoS attempts.
> 
> 	-g
> 
> On Tue, 31 Jul 2001, Alfred Huger wrote:
> 
> > I realize that most of you have taken shelter and are awaiting the
> > impending demise of the Internet as we know it. However for those of you
> > stalwart bastions of courage who are still manning the ship in the face of
> > this clear and present danger, I have a question. Anyone seeing Code Red
> > activity yet?
> >
> -- 
> Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
> glrattat_private                        http://www.io.com/~glratt
> There are imaginary bugs to chase in heaven.
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 

-- 
Michael Sullenszino    /----------------------------------------\
mikeat_private  ||  Powered by OpenBSD (www.OpenBSD.org)  ||
www.sullenszino.org   ||   & Debian GNU/Linux (www.debian.org)  ||
206.722.6539           \----------------------------------------/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Thompson, John J: "RE: Code Red, anyone?"
Previous message: Pat Wilson: "Re: Code Red, anyone?"
Next in thread: Thompson, John J: "RE: Code Red, anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 08:07:23 PDT