Security Incidents mailing list archives

RE: HTTP connections

From: Dean Cunningham <Dean.Cunningham () ew govt nz>
Date: Fri, 20 Jul 2001 13:15:37 +1200

Looks like code red , but  not seeing the 3 hits per ip address, just one.
May be due to the different FW logs, I use Firewall-1.

We have had 30 attempts over that time against our website.

As it was in the wild on Monday and about Wednesday was at 20,000 (according
to SANS) 
I would expect the infection rate is nearer 100,000+ 
based on:

1) till 17 Jul 2001 06:00 GMT our logged attempts were in the 10's a day
2) Really kicked in at about 17 Jul 2001 06:00 GMT
3) We have had about 5000 attempts in the last 12 hours

regards
Dean

-----Original Message-----
From: Gillard, Paul [mailto:paul.gillard () radioscape com]
Sent: Friday, 20 July 2001 5:23 AM
To: incidents () securityfocus com
Subject: HTTP connections



In the past hour I've seen a dramatic increase in attempted connection to
port 80 for all the IP's we own, none of which are web servers. I usually
get about 1 a day but in the last hour I've had over thirty different IP's
trying to connect and it looks like it's increasing (examples below).

Has anybody any ideas on why this should increase so suddenly? Maybe
attempts from "code red" infected machines?

24.14.236.44     aaa.bbb.ccc.73    1130      80            deny   eth0:6
24.14.236.44     aaa.bbb.ccc.73    1130      80            deny   eth0:6
24.14.236.44     aaa.bbb.ccc.73    1130      80            deny   eth0:3
63.107.98.2      aaa.bbb.ccc.70    34296     80            deny   eth0:3
63.107.98.2      aaa.bbb.ccc.70    34296     80            deny   eth0:3
63.107.98.2      aaa.bbb.ccc.70    34296     80            deny   eth0:7
65.42.206.68     aaa.bbb.ccc.74    2193      80            deny   eth0:7
65.42.206.68     aaa.bbb.ccc.74    2193      80            deny   eth0:7
65.42.206.68     aaa.bbb.ccc.74    2193      80            deny   eth0
200.253.169.10   aaa.bbb.ccc.66    21999     80            deny   eth0
200.253.169.10   aaa.bbb.ccc.66    21999     80            deny   eth0:6
203.247.201.87   aaa.bbb.ccc.73    3582      80            deny   eth0:6
203.247.201.87   aaa.bbb.ccc.73    3582      80            deny   eth0:6
203.247.201.87   aaa.bbb.ccc.73    3582      80            deny   eth0:2
217.88.174.72    aaa.bbb.ccc.68    3163      80            deny   eth0:2
217.88.174.72    aaa.bbb.ccc.68    3163      80            deny   eth0:2
217.88.174.72    aaa.bbb.ccc.68    3163      80            deny   eth0:8
63.218.145.156   aaa.bbb.ccc.75    2684      80            deny   eth0:8
63.218.145.156   aaa.bbb.ccc.75    2684      80            deny   eth0:8
63.218.145.156   aaa.bbb.ccc.75    2684      80            deny   eth0:1
204.210.242.171  aaa.bbb.ccc.67    1503      80            deny   eth0:1
204.210.242.171  aaa.bbb.ccc.67    1503      80            deny   eth0:1
204.210.242.171  aaa.bbb.ccc.67    1503      80            deny   eth0:1   

Paul Gillard
System Administrator
RadioScape Ltd.
+44 (0)20 7317 3414
paul.gillard () radioscape com


 


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
postmaster () radioscape com.

This footnote also confirms that this email message has been scanned
for the presence of computer viruses known at the time of sending.

www.radioscape.com
**********************************************************************


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

HTTP connections Gillard, Paul (Jul 19)
- Re: HTTP connections Chris Freeze (Jul 19)
- Re: HTTP connections Ryan Russell (Jul 19)
  - Other China Hack Attempts Concurrent With Code Red David E. Weekly (Jul 19)
- <Possible follow-ups>
- RE: HTTP connections Dean Cunningham (Jul 19)
  - RE: HTTP connections Ryan Russell (Jul 19)
- RE: HTTP connections Lindsay (Jul 22)