I offer three theoretical explanations for the observed increase in bogus activity: 1) The original attackers (or some copycats inspired by them), seeing the success of Code Red, are pressing the attack using a variety of methods. 2) All this media hype has inspired every bored kid who's still on summer break to see what they can hack into before they have to go back to school. 3) We (sysadmins) are being much more observant than usual, due to our concerns about Code Red. The paradox of Schrodinger's Cat applies: (our perception of) the data has been affected by our observation. I'm voting for 4) All the above. :-) Yours, Michael ----- Michael C. Tucker | Java Developer Energy Graphics, Inc. | Software Engineer mtuckerat_private | Sun Certified System Engineer It's the action, not the fruit of the action that's important. You have to do the right thing... You may never know what results come from your action. But if you do nothing, there will be no result. (Gandhi) > -----Original Message----- > From: Paul Gear [mailto:paulgearat_private] > Sent: Thursday, August 02, 2001 9:01 AM > To: SecurityFocus Incidents List > Subject: Re: Code red probe followed by udp port 10x > > > I've seen quite a few similar probes, but always on 1025. Previously > i have found information that suggests that this is a Windows NT RPC > service. > > My log entries look like this: > Aug 1 16:23:13 ### kernel: Packet log: input DENY ppp0 PROTO=17 > 65.4.247.60:1158 ###:1025 L=37 S=0x00 I=21911 F=0x0000 T=116 (#66) > > I've only ever had one such probe before, but yesterday i got around > 20 total, from diverse networks (home.com, kornet.net, hinet.net, > chinanet.cn.net, etc.). > > However, i can't see any direct correlation with Code Red - i got 56 > probes from Code Red on 20 July, then nothing until today (2 August, > GMT+1000 timezone) - 24 of them so far. Is someone perhaps trying to > hide some other probe activity in Code Red's traffic? > > Paul > http://paulgear.webhop.net > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 15:22:37 PDT