RE: Code red probe followed by udp port 10x

From: Michael Tucker (mtuckerat_private)
Date: Thu Aug 02 2001 - 13:40:23 PDT

Next message: Emery, Ralph (ISSAtlanta): "RE: Been a pet theory of mine all this time (CodeRed)"

Previous message: Christian Vogel: "CodeRed logfile scanner..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I offer three theoretical explanations for the observed increase in bogus
activity:

1) The original attackers (or some copycats inspired by them), seeing the
success of Code Red, are pressing the attack using a variety of methods.

2) All this media hype has inspired every bored kid who's still on summer
break to see what they can hack into before they have to go back to school.

3) We (sysadmins) are being much more observant than usual, due to our
concerns about Code Red. The paradox of Schrodinger's Cat applies: (our
perception of) the data has been affected by our observation.

I'm voting for 4) All the above. :-)

Yours,
Michael
-----
Michael C. Tucker           |  Java Developer
Energy Graphics, Inc.       |  Software Engineer
mtuckerat_private  |  Sun Certified System Engineer

It's the action, not the fruit of the action that's important.  You have
to do the right thing...  You may never know what results come from your
action.  But if you do nothing, there will be no result.  (Gandhi)

> -----Original Message-----
> From: Paul Gear [mailto:paulgearat_private]
> Sent: Thursday, August 02, 2001 9:01 AM
> To: SecurityFocus Incidents List
> Subject: Re: Code red probe followed by udp port 10x
> 
> 
> I've seen quite a few similar probes, but always on 1025.  Previously
> i have found information that suggests that this is a Windows NT RPC
> service.
> 
> My log entries look like this:
> Aug  1 16:23:13 ### kernel: Packet log: input DENY ppp0 PROTO=17
> 65.4.247.60:1158 ###:1025 L=37 S=0x00 I=21911 F=0x0000 T=116 (#66)
> 
> I've only ever had one such probe before, but yesterday i got around
> 20 total, from diverse networks (home.com, kornet.net, hinet.net,
> chinanet.cn.net, etc.).
> 
> However, i can't see any direct correlation with Code Red - i got 56
> probes from Code Red on 20 July, then nothing until today (2 August,
> GMT+1000 timezone) - 24 of them so far.   Is someone perhaps trying to
> hide some other probe activity in Code Red's traffic?
> 
> Paul
> http://paulgear.webhop.net
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Emery, Ralph (ISSAtlanta): "RE: Been a pet theory of mine all this time (CodeRed)"
Previous message: Christian Vogel: "CodeRed logfile scanner..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 15:22:37 PDT