[Dshield] Code Red Host Scans (and more)

Greg Broiles gbroiles at well.com
Sat Aug 4 17:48:03 GMT 2001


At 10:19 AM 8/4/2001 -0700, John Groseclose wrote:

>I've spotted probes from all over: France, parts of Asia, Taiwan, Japan, 
>and an *awful* lot of probes from speakeasy.net (my provider, so I'm 
>talking to them about it.) I'm getting probes for this "new" version from 
>networks that never tried to connect via the "old" version.
>
>Today may get ugly, folks. It may get *really* ugly.
>
>Beginning about five hours ago, I've detected 97 probes of the "new" variety:

I'm also a speakeasy DSL customer, and I'm seeing a similar rate of 
probes/attempts, with a similar mix of old/new variants; am still wrestling 
with the snort submit script to mail the logs off to dshield.org.

My theory - unburdened by real info about the workings of the worm - is 
that it's trying to infect machines nearby in IP space, so one infected 
speakeasy machine 64.81.*.* becomes many infected speakeasy machines, which 
increases the number of probes, so more are infected, etc.


--
Greg Broiles
gbroiles at well.com
"We have found and closed the thing you watch us with." -- New Delhi street kids




More information about the list mailing list