At 12:39 AM 8/6/2001, John Davidson wrote: >My W2k IIS logs show 3 CRv2 scans from the same source IP within the same >minute. which worm is attacking? please don't mistake the names! there is: code red original, discovered around the 13th of July (CRv1): has a damaged PRNG code red with patched PRNG, discovered aroung the 16th of July (CRv2) both can infect one system multiple times, but possibility to get double attacks is much more probable from CRv1 than CRv2 NOW: CodeRedII (this name is easily mistaken with CRv2, so i would suppose another name: i stared calling it ida_root since my first analysis on 5th aug, 7:34 GMT) this worm alway only infects one host _once_. it checks for double infection. it could generate the same ip address again in it's PRNG but the chance this happening is near 0. furthermore ida_root (or whatever you call it) concentrates on class A and class B networks 7/8 of the time... cheerz corecode ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:36:31 PDT