nanog mailing list archives
FW: Code red- Returning?
From: "McBurnett, Jim" <jmcburnett () msmgmt com>
Date: Tue, 18 Mar 2003 13:38:57 -0500
I think this shouldgo here.. Mistype nanog.... Jim
-----Original Message----- From: Johannes Ullrich [mailto:jullrich () euclidian com] Sent: Tuesday, March 18, 2003 1:10 PM To: McBurnett, Jim Cc: anog () merit edu Subject: Re: Code red- Returning? Yes. This month, we are tracking about twice as many sources as usual scanning port 80. The likely reason is the release of Code Red F earlier this month. graph of port 80 activity for the last 2+months: ttp://www.dshield.org/port_report.php?port=80&days=70 In addition, there are some spikes in the number of targets scanned, which could be target list acquisitions for the next big thing (maybe the WebDav exploit). AFAIK, the only difference for Code Red F is that it changed the 'cut off year' at which it will stop scanning. So it probably infected some machines that due to clock settings where not infected by the other versions. But I haven't had a chance to look at it in detail. On Tue, 18 Mar 2003 12:50:17 -0500 "McBurnett, Jim" <jmcburnett () msmgmt com> wrote:Has anyone out there noticed an increase in a Code-Redpatterned virus?I know about the Microsoft bug that came out yesterday/last night. But I am seeing the same symptoms as Code Red, 800+ hits in the last 12 hours, from the same Class Anetwork I am on.The amount is increasing per hour.. It started with 50 the first hour and now it just about 150an hour...Thoughts? thanks, Jim-- -------------------------------------------------------------------- jullrich () euclidian com Collaborative Intrusion Detection join http://www.dshield.org
Current thread:
- Code red- Returning? McBurnett, Jim (Mar 18)
- RE: Code red- Returning? Eric Germann (Mar 18)
- <Possible follow-ups>
- RE: Code red- Returning? McBurnett, Jim (Mar 18)
- FW: Code red- Returning? McBurnett, Jim (Mar 18)
- RE: Code red- Returning? Mohammed Al Sukkar (Mar 18)