Re: CodeRed back with with a vengence this month!

From: Ian O'Brien (iobat_private)
Date: Mon Dec 10 2001 - 11:10:45 PST

  • Next message: Armando Ortiz: "Re: Voluminous SSHd scanning; possible worm activity?"

    Cory McIntire wrote:
    > 
    > just as a thought , it must depend on what network your in , whereas I am in
    > the 65.69 network, i recieve constant hits from infected nimda victims, but,
    > i only received 5 hits since 8 Dec of the code red. just food for thought...
    
    i think what happened is Excite@home being taken off the air. A lot of customers
    were transferred from the 65./8 and 24./8 over onto 12./8. I think the
    infections will have to have to reestablish themselves in their new network.
    Some of the infections probably didn't survive the change of IP address and
    reboots. (IIRC CodeRed doesn't survive a reboot, but i could be wrong)
    
    Ian
    
    > cory
    > 
    > On Sunday 09 December 2001 04:33 pm, Russell Fulton wrote:
    > > HI All,
    > >       Has anyone else noticed that code red has bounced back very
    > > quickly this month after its sleep period.  In past months snort has
    > > not seen CodeRed attacks until 9th or 10th, this month I started seeing
    > > them on the 2nd and by the 4th they had overtaken nimda and now they
    > > have overtaken lastmonths peak with 9 days to go.
    > >
    > > I also keep an eye on how many systems are probing us on port 80, this
    > > jumped from about 800 unique source addresses per hour on Nov 30 to
    > > nearly 3000 this morning.
    > >
    > > Any ideas what has changed?
    > >
    > > Russell Fulton, Computer and Network Security Officer
    > > The University of Auckland,  New Zealand
    > >
    > >
    > > ---------------------------------------------------------------------------
    > >- This list is provided by the SecurityFocus ARIS analyzer service.
    > > For more information on this free incident handling, management
    > > and tracking system please see: http://aris.securityfocus.com
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    -- 
    
    Ian O'Brien      What kind of head of security would I be if I let people
    408-696-2182=Pgr       like me know things that I'm not supposed to know?
    iobat_private                                  --- Michael Garibaldi, B5
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 14:12:01 PST