original code red resurgence...

From: Russell Fulton (r.fultonat_private)
Date: Mon Oct 15 2001 - 16:39:05 PDT

  • Next message: Fulton L. Preston Jr.: "RE: original code red resurgence..."

    Greetings All,
    	      I have been watching the probe rate on port 80 and .ida 
    attacks with interest since the shutdown of Code Red II at the 
    beginning of the month.
    Initially we saw a sharp drop in the number of addresses doing random 
    probes to port 80 and an almost complete absence of .ida probes logged 
    by snort. Then a very slow increase in .ida probes (the ones padded 
    with "NNN").  Over the last few days the .ida probe rate is has risen 
    from one or two per day to approximately 1 per hour across our network 
    and the overall probe rate has risen from around 1500 different source 
    IPs per hour to 1800. 
    The original code red is definitely still alive and spreading, abiet 
    There is one thing that puzzles me: snort (1.8.1) sometimes logs an 
    alert for '.ida attempt' but does not log any packet and in some cases 
    I have not been able to find the log entries in the web server logs.  
    This suggests that something odd is breaking in snort.  I have posted a 
    query on the snort_users mailing list but have not had any response.
    Any ideas?
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Oct 16 2001 - 10:46:50 PDT