Bugtraq mailing list archives
Re(2): 'Code Red' does not seem to be scanning for IIS
From: Ken Eichman <keichman () cas org>
Date: Thu, 19 Jul 2001 19:15:32 -0400 (EDT)
I can correlate what Kelly reports -- *something* happened between 14-1500 GMT today to drastically increase the number of 'code red' scans/infections. I've been tracking them since Saturday on my IDS. Our class-b address space appears to be high up on the worms scanning pattern. For all of 7/18 I recorded probes from 8247 unique host IP addresses, presumably compromised with 'code red'. Just during the 1900GMT hour today - one hour of logs - I recorded 'code red' hits from 115124 different IP addresses. All of these probes are bouncing off our firewall. The drastic increase in infections/probes began between 1300- 1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT. Ken Eichman Senior Security Engineer Chemical Abstracts Service Tel: (614) 447-3838 ext 3230 2540 Olentangy River Road Fax: (614) 447-3855 Columbus, OH 43210 Email: keichman () cas org
From: Kelly Martin <kellym () fb00 fb org> To: "'Mike Brockman'" <phubuh () home se>, bugtraq () securityfocus com Subject: RE: 'Code Red' does not seem to be scanning for IIS Date: Thu, 19 Jul 2001 17:21:06 -0500
Our principal web server (which services some 50-odd virtual domains) has taken over 500 hits from "Code Red" worms since around 10am today. It runs Apache, so it doesn't present a security risk, but it is tending to annoy our already-overloaded network pipe (we have four Class C's squeezed into one T1 line). Prior to today at around 11am there is no record in our logfiles for that server, which go back to 10 July. Our servers all started to see hits at about the same time, around 10 am central time. Two of them, NT 4.0 SP6a systems with IIS 5, died, one repeatedly, before we figured out what was going on. The attacks come from widely variable hosts (no discernable pattern). I've tracked nearly a thousand hits on our IP block in the past six hours or so with none before that, and that doesn't even count the ones that smacked silently against the firewall (port 80 is only open through the firewall to hosts that actually run public web servers, which is only a tiny fraction of the IPs in the block). My cable modem has also started to get hit today, for the first time as far as I know, as has our off-site ecommerce server. I suspect that this is a fresh launch, possibly with a modified code base from the original Red Code worm. Kelly Martin American Farm Bureau Federation
Current thread:
- 'Code Red' does not seem to be scanning for IIS Mike Brockman (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Marc Maiffret (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Emre Yildirim (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Ethan Butterfield (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS daniel uriah clemens (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Ryan Russell (Jul 19)
- <Possible follow-ups>
- RE: 'Code Red' does not seem to be scanning for IIS Kelly Martin (Jul 19)
- Re(2): 'Code Red' does not seem to be scanning for IIS Ken Eichman (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Duncan Hill (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS Stephen Cimarelli (Jul 19)
- RE: 'Code Red' does not seem to be scanning for IIS Tony Langdon (Jul 19)
- Re: 'Code Red' does not seem to be scanning for IIS George William Herbert (Jul 20)
- RE: 'Code Red' does not seem to be scanning for IIS Marc Maiffret (Jul 19)