Re: high number of code red events

From: michalat_private
Date: Mon Oct 07 2002 - 01:50:48 PDT

Next message: discipulus: "Re: Strange Folder"

Previous message: Hiroaki Kondo: "Re: Strange Folder"
In reply to: Marcelo Bartsch: "high number of code red events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
well I can se lot of them too....hundreds per day, but very often
number of these in short time period from one IP a then is quit from that
IP.
As far as i know, this vulnerability is only on MS Win, and I'm running
Apache, so I suppose that it's "robot" scan and so I don't worry about
that.

Michal


 On 3 Oct 2002, Marcelo Bartsch wrote:

> Hello,
> 	has enyone notice a incresing number of code red attacks, but, coming
> from the same ip address to the same ip address. my ids detect at least
> 20 to 30 attacks to the same ip from the same ip, using variants of
> codered and coderedv2 is only to my or has this been seen on other
> places?
> 
> P.D.: sorry for my bad english.
> 
> 33 XXX.YYY.ZZZ.52
>         Sig: WEB-IIS CodeRed v2 root.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS CodeRed v2 root.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS CodeRed v2 root.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS CodeRed v2 root.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: spp_http_decode: ISS Unicode attack detected (To:
> AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
>         Sig: WEB-IIS cmd.exe access (To: AAA.BBB.CCC.11)
> 
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: discipulus: "Re: Strange Folder"
Previous message: Hiroaki Kondo: "Re: Strange Folder"
In reply to: Marcelo Bartsch: "high number of code red events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 18:31:15 PDT