Security Incidents mailing list archives

Nimda Infections and code red resurgence

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Wed, 14 Nov 2001 11:17:20 +1300 (NZDT)


On Tue, 13 Nov 2001 11:03:12 -0600 (CST) Neil Dickey 
<neil () geol niu edu> wrote:


By they way, I noticed yesterday that someone seems to be trying to
get CodeRed1 going again.


Code Red never went a way, it just sleeps on the 19th (or 20th ?)of the 
month and reawakes on the 1st.  Since it is cleared by rebooting then 
many infections die off over the ten days.  I have been watching this 
for the last few months.  It is usually about the 10th that snort picks 
up the first .ida attack and then for the next 10 days the rate slowly 
increase until by now I am seeing 2 or 3 an hour. (We have a /16 
address block and host lots of web servers).

The population of unpatched machines is now sparse enough that it takes 
many days to reach saturation.

Others in this thread have bemoaned the fact that many reports of 
infection go unheaded.  I agree that many do but I believe that it is 
still worthwhile reporting incidents particularly if they are coming 
from responsible organisations.  Our network address block is in 
130.0.0.0/8 and so we see many scans from other addresses in this /8 
which tends to be populated by large universities and corporations.  I 
have been diligently reporting all machine in the /8 over the last 
couple months and on most day there are now only 3 or 4 machines (often 
at one site) scanning us from 130/8. Many other /8 blocks have upward 
of 40 or 50 machines.

Machines in 130/8 typically scan us at the rate of between 100 and 200 
probes per hour those in other /8s at a rate of < 10 per hour. This is 
because of the bias to scan inside one's own /24 and /16.  What puzzels 
me however is that we see to the odd machine in some unrelated /8 
probing at very high rates (well over 100 per hour).  On at least one 
ocassion I verified (from the IDS) that the machine was attempting 
Nimda style attacks on any web server it found.  Very strange. 

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Nimda Infections reilly (Nov 12)
- <Possible follow-ups>
- RE: Nimda Infections Dial Joe (Nov 13)
- RE: Nimda Infections Jim Harrison (SPG) (Nov 13)
  - RE: Nimda Infections Reilly (Nov 13)
    - RE: Nimda Infections Ryan Russell (Nov 13)
- RE: Nimda Infections Reilly (Nov 13)
- RE: Nimda Infections Reilly (Nov 13)
- RE: Nimda Infections Jim Howard (Nov 13)
- RE: Nimda Infections w1re p4ir (Nov 13)
- RE: Nimda Infections Neil Dickey (Nov 13)
  - Nimda Infections and code red resurgence Russell Fulton (Nov 13)