original code red resurgence...

[Russell Fulton <r.fulton () auckland ac nz>]

Greetings All,
              I have been watching the probe rate on port 80 and .ida 
attacks with interest since the shutdown of Code Red II at the 
beginning of the month.

Initially we saw a sharp drop in the number of addresses doing random 
probes to port 80 and an almost complete absence of .ida probes logged 
by snort. Then a very slow increase in .ida probes (the ones padded 
with "NNN").  Over the last few days the .ida probe rate is has risen 
from one or two per day to approximately 1 per hour across our network 
and the overall probe rate has risen from around 1500 different source 
IPs per hour to 1800. 

The original code red is definitely still alive and spreading, abiet 
slowly.

There is one thing that puzzles me: snort (1.8.1) sometimes logs an 
alert for '.ida attempt' but does not log any packet and in some cases 
I have not been able to find the log entries in the web server logs.  
This suggests that something odd is breaking in snort.  I have posted a 
query on the snort_users mailing list but have not had any response.

Any ideas?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com