('binary' encoding is not supported, stored as-is) In-Reply-To: <F147gMNSK39n0VjyLHX0002e26eat_private> I'm seeing CR/CRII-looking scans today too. Mostly from one or two IPs right now. I'm on a ATTBI (now Comcast) cable modem with a 24.62.x.x IP address and most of my scans are coming from another, single 24.62.x.x address. I have seen some scans from other networks as well, such as a 24.117.x.x, and a 61.182.x.x. I've seen 7 CRII-like scans today so far. I differentiate between CR/CRII and Nimda by the number of connection attempts by one IP/source port (since I deny SYN packets): 2 attempts signifies Nimda, 3 signifies CR/CRII, so it's possible that something else that makes 3 attempts on port 80 could be misinterpreted by my script as CRII. If I recall correctly CRII would reboot the host anytime during 10/01 or anytime in 2002, but I don't recall any mention of this happening beyond 2002, so it's possible that it could spread again. I tried connecting to two of the scanning IPs with lynx; one returned a 500 Server error; the other returned a PWS 4.0 home page, so if it's an unpatched IIS box it could be infected with CRII. >From: "Stan Burditzman" <slidefx2at_private> >To: incidentsat_private >Subject: The Return of Code Red II? >Date: Tue, 11 Mar 2003 11:24:09 -0600 > >Is anyone else seeing traffic generated by Code Red II. I thought it wasn't >supposed to propagate after 10/01? ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 12:42:54 PST