Security Incidents mailing list archives

RE: CodeRed Observations. ## Christine_Kronberg () genua de

From: root <root () ns1 transurban com au>
Date: Tue, 18 Mar 2003 15:12:16 +1100

Christine_Kronberg () genua de 
Subject: RE: CodeRed Observations.
In-Reply-To: <9A01501BF79D864D95402AF6FBEE33D902928C8A () srtheismann eng emc com>
Message-ID: <Pine.LNX.4.30.0303141634200.21106-100000 () oglamar genua de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

On Thu, 13 Mar 2003, larosa, vjay wrote:


Some of the systems respond to a ping, none respond to
any HTTP requests. It doesn't mean that they are not
firewalled from incoming traffic though.


  I checked the entries in my logs. The only one that
  responded was indeed an IIS. All other IP gave me a
  "connection refused" or a simple timeout.

  With that being said about the non-three-way-handshake
  hits, I wonder if some of the addresses are spoofed;
  coming from a compiled list or something. Except for
  one hit all came from (different) 217.x.y.z addresses.
  Anyone else observed something similar?

  Have fun,

                                                Chris.


-- 
GeNUA mbH



----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>


.

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

RE: CodeRed Observations. ## Christine_Kronberg () genua de root (Mar 18)