FW: Code red- Returning?

["McBurnett, Jim" <jmcburnett () msmgmt com>]

I think this shouldgo here..
Mistype nanog....

Jim

> -----Original Message-----
> From: Johannes Ullrich [mailto:jullrich () euclidian com]
> Sent: Tuesday, March 18, 2003 1:10 PM
> To: McBurnett, Jim
> Cc: anog () merit edu
> Subject: Re: Code red- Returning?
>
>
>
>
> Yes. This month, we are tracking about twice as many sources as usual
> scanning port 80. The likely reason is the release of Code Red 
> F earlier
> this month.
>
> graph of port 80 activity for the last 2+months:
> ttp://www.dshield.org/port_report.php?port=80&days=70
>
>
> In addition, there are some spikes in the number of targets 
> scanned, which
> could be target list acquisitions for the next big thing 
> (maybe the WebDav
> exploit).
>
> AFAIK, the only difference for Code Red F is that it changed 
> the 'cut off year'
> at which it will stop scanning. So it probably infected some 
> machines that due
> to clock settings where not infected by the other versions. 
> But I haven't had
> a chance to look at it in detail.
>
>
>
> On Tue, 18 Mar 2003 12:50:17 -0500
> "McBurnett, Jim" <jmcburnett () msmgmt com> wrote:
>
> > Has anyone out there noticed an increase in a Code-Red 
> patterned virus?
> > I know about the Microsoft bug that came out yesterday/last night.
> > But I am seeing the same symptoms as Code Red,
> > 800+ hits in the last 12 hours, from the same Class A 
> network I am on.
> > The amount is increasing per hour..
> > It started with 50 the first hour and now it just about 150 
> an hour...
> > Thoughts?
> >
> > thanks,
> > Jim
>
>
> -- 
> --------------------------------------------------------------------
> jullrich () euclidian com             Collaborative Intrusion Detection
>                                         join http://www.dshield.org