[Dshield] Code Red Host Scans (and more)

Greg Broiles gbroiles at well.com
Sat Aug 4 17:48:03 GMT 2001

At 10:19 AM 8/4/2001 -0700, John Groseclose wrote:

>I've spotted probes from all over: France, parts of Asia, Taiwan, Japan, 
>and an *awful* lot of probes from speakeasy.net (my provider, so I'm 
>talking to them about it.) I'm getting probes for this "new" version from 
>networks that never tried to connect via the "old" version.
>Today may get ugly, folks. It may get *really* ugly.
>Beginning about five hours ago, I've detected 97 probes of the "new" variety:

I'm also a speakeasy DSL customer, and I'm seeing a similar rate of 
probes/attempts, with a similar mix of old/new variants; am still wrestling 
with the snort submit script to mail the logs off to dshield.org.

My theory - unburdened by real info about the workings of the worm - is 
that it's trying to infect machines nearby in IP space, so one infected 
speakeasy machine 64.81.*.* becomes many infected speakeasy machines, which 
increases the number of probes, so more are infected, etc.

Greg Broiles
gbroiles at well.com
"We have found and closed the thing you watch us with." -- New Delhi street kids

More information about the list mailing list