Security Incidents mailing list archives

Re: CodeRed Activity

From: "Portnoy, Gary" <gportnoy () belenosinc com>
Date: Wed, 1 Aug 2001 13:55:38 -0400

Greetings,

Looking at my firewall logs.  There are about 50 hosts behind the firewall.
Only a handfull are listening on port 80. The following are the SYN's to
hosts that are not listening on port 80.  I usually get a few a day, today
there is a tremendous increase.  I attribute that to CodeRed, but I guess i
can't be 100% sure (as Al and the like have pointed out), though i am highly
inclined to believe it so....

Times are in EDT (GMT -4):
Time            Connection attempts
------------------------------------------------------
4-5 am          1
5-6 am          1
6-7 am          2
7-8 am          3
8-9 am          4
9-10 am         7
10-11 am        12
11-12 am        13
12-1 pm         21
1-1:40 pm       24

In addition, from Snort logs there are 16 confirmed CodeRed attempts to the
hosts that are listening on port 80...

HTH,
-Gary-

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

CodeRed Activity dave . goldsmith (Aug 01)
- Re: CodeRed Activity Stuart Staniford (Aug 01)
  - Re: CodeRed Activity Ryan Russell (Aug 01)
    - Re: CodeRed Activity Stuart Staniford (Aug 01)
- <Possible follow-ups>
- Re: CodeRed Activity Portnoy, Gary (Aug 01)