Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CodeRed back with with a vengence this month!

From: "Ian O'Brien" <iob () xilinx com>
Date: Mon, 10 Dec 2001 11:10:45 -0800
Cory McIntire wrote:


just as a thought , it must depend on what network your in , whereas I am in
the 65.69 network, i recieve constant hits from infected nimda victims, but,
i only received 5 hits since 8 Dec of the code red. just food for thought...


i think what happened is Excite@home being taken off the air. A lot of customers
were transferred from the 65./8 and 24./8 over onto 12./8. I think the
infections will have to have to reestablish themselves in their new network.
Some of the infections probably didn't survive the change of IP address and
reboots. (IIRC CodeRed doesn't survive a reboot, but i could be wrong)

Ian


cory

On Sunday 09 December 2001 04:33 pm, Russell Fulton wrote:

HI All,
      Has anyone else noticed that code red has bounced back very
quickly this month after its sleep period.  In past months snort has
not seen CodeRed attacks until 9th or 10th, this month I started seeing
them on the 2nd and by the 4th they had overtaken nimda and now they
have overtaken lastmonths peak with 9 days to go.

I also keep an eye on how many systems are probing us on port 80, this
jumped from about 800 unique source addresses per hour on Nov 30 to
nearly 3000 this morning.

Any ideas what has changed?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


---------------------------------------------------------------------------
- This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


-- 

Ian O'Brien      What kind of head of security would I be if I let people
408-696-2182=Pgr       like me know things that I'm not supposed to know?
iob () xilinx com                                  --- Michael Garibaldi, B5

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: