nanog mailing list archives

Code Red Scans

From: Joe Blanchard <jblanchard () wyse com>
Date: Wed, 1 Aug 2001 13:03:03 -0700


Still seeing tons of traffic scanning for port 80s. Already sent off 4
emails to various .edu s that appear to be infected (several nodes) and one
to Microsoft as well. In a brief listing of nodes my count is greater than
64k of unique IP addys so far.

Hmm, Pretty bad when MS themselves look to be infected. Or maybe there
"testing" something, or someone is spoofing?

Aug  1 12:37:36: %PIX-3-106010: Deny inbound tcp src
outside:131.107.112.124/3383 dst inside:xxx.xxx.xxx.xxx/80 
Aug  1 12:37:40: %PIX-3-106010: Deny inbound tcp src
outside:131.107.112.124/3383 dst inside:xxx.xxx.xxx.xxx/80 
Aug  1 12:40:04: %PIX-3-106010: Deny inbound tcp src
outside:131.107.190.124/41854 dst inside:xxx.xxx.xxx.xxx/80 
Aug  1 12:40:08: %PIX-3-106010: Deny inbound tcp src
outside:131.107.190.124/41854 dst inside:xxx.xxx.xxx.xxx/80 
Aug  1 12:40:39: %PIX-3-106010: Deny inbound tcp src
outside:131.107.86.103/4167 dst inside:xxx.xxx.xxx.xxx/80 
Aug  1 12:41:52: %PIX-3-106010: Deny inbound tcp src
outside:131.107.112.124/4367 dst inside:xxx.xxx.xxx.xxx/80 
Aug  1 12:42:00: %PIX-3-106010: Deny inbound tcp src
outside:131.107.112.124/4367 dst inside:xxx.xxx.xxx.xxx/80 
Aug  1 12:43:02: %PIX-3-106010: Deny inbound tcp src
outside:131.107.90.67/3667 dst inside:xxx.xxx.xxx.xxx/80

        Microsoft Corporation (NET-MICROSOFT)
           One Redmond Way
           Redmond, WA 98052
           US

           Netname: MICROSOFT
           Netblock: 131.107.0.0 - 131.107.255.255

           Coordinator:
              Microsoft  (ZM39-ARIN)  noc () microsoft com




-Joe

Current thread:

Code Red Scans Joe Blanchard (Aug 01)