RE: 'Code Red' does not seem to be scanning for IIS

[Duncan Hill <dhill () pct edu>]

On Thu, 19 Jul 2001, Kelly Martin wrote:

> thousand hits on our IP block in the past six hours or so with none
> before that, and that doesn't even count the ones that smacked
> silently against the firewall (port 80 is only open through the
> firewall to hosts that actually run public web servers, which is
> only a tiny fraction of the IPs in the block).

Something I've noticed in our Apache logs - 70% of the hits (maybe 20 so
far) are from cable modem and adsl style addresses (according to the dig
data).  Notably @home and mediaone.

I've attempted to mail some places that their server is infected.  Of 5
mails sent, 3 bounced as undeliverable to webmaster@domain.  One
actually routed through two aliases before bouncing!

Oh well, the Apache server is immune, the IIS server is patched, but
there are no hits in its logs (though there were plenty for the cmd.exe
exploit).

As a side note, our address block is in the 12.x.x.x range.. perhaps
AT&T isn't counted as a good target?

-- 

Sapere aude
My mind not only wanders, it sometimes leaves completely.