Security Incidents mailing list archives
Code Red, anyone?
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Wed, 1 Aug 2001 14:37:49 +1200 (NZST)
On Tue, 31 Jul 2001 19:31:01 -0600 (MDT) Alfred Huger <ah () securityfocus com> wrote:
I realize that most of you have taken shelter and are awaiting the impending demise of the Internet as we know it. However for those of you stalwart bastions of courage who are still manning the ship in the face of this clear and present danger, I have a question. Anyone seeing Code Red activity yet? I just took a poll through our sensors in ARIS and see almost no activity at least none worth commenting on. Anyone else?
Since 10am local time (2200 UTC) I have been monitoring number of in bound tcp sessions to port 80 that consist of a single SYN (I figure the worm should generate lots of these ;-). There was no change between morning and the hour after midday and a slight rise between 1 and 2 pm, but still well within the bounds of statistical error. Hmmm... I'll analyse the 2.5 hours data since midday: 90 # total unique source IP address 212.135.14.10. 01 Aug 01 00:10:58 -- 01 Aug 01 01:43:17 # count 3 24.14.144.90. 01 Aug 01 00:08:09 -- 01 Aug 01 00:34:24 # count 2 61.144.143.124. 01 Aug 01 01:48:15 -- 01 Aug 01 02:21:34 # count 2 24.69.55.69. 01 Aug 01 00:50:03 -- 01 Aug 01 02:14:51 # count 2 145.249.35.45. 01 Aug 01 00:26:47 -- 01 Aug 01 00:28:45 # count 2 217.89.69.90. 01 Aug 01 02:05:47 -- 01 Aug 01 02:11:13 # count 2 Times are UTC: first packet seen -- last packet seen. count is number of local addresses probed. No real evidence of a resurection there... Does anyone know what probe rate to expect on a /16 address space from a infected single address. (I know it will vary with bandwidth available). Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red, anyone? Alfred Huger (Jul 31)
- Code Red, anyone? Russell Fulton (Jul 31)
- Re: Code Red, anyone? Glenn Forbes Fleming Larratt (Jul 31)
- Re: Code Red, anyone? Michael Sullenszino (Aug 01)
- Re: Code Red, anyone? S. Staniford (Jul 31)
- Re: Code Red, anyone? Joseph Nicholas Yarbrough (Aug 01)
- Re: Code Red, anyone? thomas lakofski (Aug 01)
- RE: Code Red, anyone? Coen Bongers (Aug 01)
- Re: Code Red, anyone? Ryan Russell (Aug 01)
- Re: Code Red, anyone? Kman (Aug 01)
- <Possible follow-ups>
- Re: Code Red, anyone? Ken Eichman (Aug 01)
- unsubscribe me please Christophe Bernigaud (Aug 01)
(Thread continues...)