nanog mailing list archives

Re: Worm probes

From: deeann mikula <deeann () telerama com>
Date: Tue, 18 Sep 2001 10:40:07 -0400 (EDT)


On Tue, 18 Sep 2001, ravi pina wrote:


On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma () pair com said at one point in time:



Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
probes this morning?  We're seeing about 8000/second, starting around 9:15
Eastern time, to and from a wide variety of addresses.


affirmative.  i just looked at my logs, and it looks like
each probe tries a bunch of things.  i haven't seen much
on the lists, but i'm looking right now.


i'm pretty sure that the worm's attack phase starts on the 20th (which
of course, depends upon a correctly set system clock) and also that
attempting to execute something like /scripts/root.ext/c++ something
is involved.

i think that cert's website would be a good place to look.  i'm *not*
a security/virus chick, but i did host a talk by marty linder of cert
where he discected code red's activity and presented a summary.

cert is of course, http://www.cert.org.


deeann m.m. mikula

director of operations
telerama public access internet
http://www.telerama.com
1.877.688.3200

Current thread:

Worm probes sigma (Sep 18)
- Re: Worm probes ravi pina (Sep 18)
  - Re: Worm probes deeann mikula (Sep 18)
    - Re: Worm probes up (Sep 18)
    - Re: Worm probes Bryan Heitman (Sep 18)
    - Re: Worm probes Valdis . Kletnieks (Sep 18)
    - Re: Worm probes Eric Gauthier (Sep 18)
    - Re: Worm probes.. Looking for captures. Michael Airhart (Sep 18)
    - Re: Worm probes Chris Grout (Sep 18)
    - Re: Worm probes ravi pina (Sep 18)
    - RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
    - RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
    - RE: Worm probes Tim Winders (Sep 18)

(Thread continues...)