Re: Code Red, anyone?

[thomas lakofski <thomas () 88 net>]

On Tue, 31 Jul 2001, Alfred Huger wrote:

> I realize that most of you have taken shelter and are awaiting the
> impending demise of the Internet as we know it. However for those of you
> stalwart bastions of courage who are still manning the ship in the face of
> this clear and present danger, I have a question. Anyone seeing Code Red
> activity yet?

my host with 2 IPs has seen so far exactly 1 probe that looks like the code red
attempts (v2 i presume) i had seen many of on the 19th-20th of July.

Aug  1 11:09:42 io snort: IDS296/web-misc_http-whisker-splicing-attack-space: 194.133.117.220:3644 -> 209.9.230.110:80
Aug  1 11:09:43 io snort: IDS552/web-iis_IIS ISAPI Overflow ida: 194.133.117.220:3644 -> 209.9.230.110:80
Aug  1 11:09:43 io snort: IDS552/web-iis_IIS ISAPI Overflow ida: 194.133.117.220:3644 -> 209.9.230.110:80
Aug  1 11:09:43 io snort: IDS243/web-cgi_http-cgi-pipe: 194.133.117.220:3644 -> 209.9.230.110:80

full log of 4 packets at http://88.net/~thomas/codered.txt

times are UTC.

-thomas

-- 
 Do what thou wilt shall be the whole of the Law.
                -- Aleister Crowley
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4  F053 4AE5 01DF 81FD 4B43


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com