Re: Worm probes

[<up () 3 am>]

ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k
box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this
time of day, although still well short of capacity...apache server
processor load is WAY up just from the requests, and the logs are growing
like mad.

On Tue, 18 Sep 2001, deeann mikula wrote:

> On Tue, 18 Sep 2001, ravi pina wrote:
>
> > On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma () pair com said at one point in time:
> > > Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
> > > probes this morning?  We're seeing about 8000/second, starting around 9:15
> > > Eastern time, to and from a wide variety of addresses.
> >
> > affirmative.  i just looked at my logs, and it looks like
> > each probe tries a bunch of things.  i haven't seen much
> > on the lists, but i'm looking right now.
>
> i'm pretty sure that the worm's attack phase starts on the 20th (which
> of course, depends upon a correctly set system clock) and also that
> attempting to execute something like /scripts/root.ext/c++ something
> is involved.
>
> i think that cert's website would be a good place to look.  i'm *not*
> a security/virus chick, but i did host a talk by marty linder of cert
> where he discected code red's activity and presented a summary.
>
> cert is of course, http://www.cert.org.
>
>
> deeann m.m. mikula
>
> director of operations
> telerama public access internet
> http://www.telerama.com
> 1.877.688.3200

James Smallacombe                     PlantageNet, Inc. CEO and Janitor
up () 3 am                                                          http://3.am
=========================================================================