Security Incidents mailing list archives

Re: Code Red, anyone?

From: Michael Sullenszino <mikesz () sullenszino org>
Date: Wed, 1 Aug 2001 07:45:45 -0700

Well, after emerging from the fallout shelter, I checked my NIDS for
three different companies' subnets.  Grand total: 48 instances of
CodeRed signature matches (coincidentally, 16 incidents per site).

<g>Well, thank goodness we brought in a third T1 to handle the stress.
</g>


Mike

On Tue, Jul 31, 2001 at 09:31:37PM -0500, Glenn Forbes Fleming Larratt wrote:

Here at (unnamed-for-policy-reasons academic Class B) we've seen
exactly one packet matching our Snort rule for IIS exploit attempts of
the sort that include Code Red (from 195.219.102.44 in .de, FWIW).

We've also examined MRTG graphs of all our network and subnet links,
paying particular attention to the turnover of 0000 UTC 1 August, and
have observed no anomalies in traffic flows that would indicate either
widespread infection or DDoS attempts.

      -g

On Tue, 31 Jul 2001, Alfred Huger wrote:

I realize that most of you have taken shelter and are awaiting the
impending demise of the Internet as we know it. However for those of you
stalwart bastions of courage who are still manning the ship in the face of
this clear and present danger, I have a question. Anyone seeing Code Red
activity yet?

-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glratt () io com                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


-- 
Michael Sullenszino    /----------------------------------------\
mike () sullenszino org  ||  Powered by OpenBSD (www.OpenBSD.org)  ||
www.sullenszino.org   ||   & Debian GNU/Linux (www.debian.org)  ||
206.722.6539           \----------------------------------------/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Code Red, anyone? Alfred Huger (Jul 31)
- Code Red, anyone? Russell Fulton (Jul 31)
- Re: Code Red, anyone? Glenn Forbes Fleming Larratt (Jul 31)
  - Re: Code Red, anyone? Michael Sullenszino (Aug 01)
- Re: Code Red, anyone? S. Staniford (Jul 31)
- Re: Code Red, anyone? Joseph Nicholas Yarbrough (Aug 01)
- Re: Code Red, anyone? thomas lakofski (Aug 01)
- RE: Code Red, anyone? Coen Bongers (Aug 01)
- Re: Code Red, anyone? Ryan Russell (Aug 01)
  - Re: Code Red, anyone? Kman (Aug 01)
- <Possible follow-ups>
- Re: Code Red, anyone? Ken Eichman (Aug 01)
  - unsubscribe me please Christophe Bernigaud (Aug 01)
- RE: Code Red, anyone? Information Security (Aug 01)
  - RE: Code Red, anyone? Chip McClure (Aug 01)

(Thread continues...)