[Dshield] How Do You Detect Code Red Host Scans

John Hardin johnh at aproposretail.com
Sat Aug 4 17:55:14 GMT 2001

On Thu, 2 Aug 2001, Tim Dwayne Southard wrote:

> My IDS (Cisco Secure) is not detecting the host scans from infected
> machines.  I can see the default.ida?NNN stuff but I think that is the
> second stage (infection).  I need to see the port 80 scans regardless
> of whether they are scanning MS boxes.  Any assistance will be repaid
> with good Karma.

There actually *isn't* a scanning phase from what I understand. The worm
picks an IP address and sends the exploit to port 80, and then moves on to
the next address. That's why Cicso routers etc. are being nuked by it.

        John Hardin
        Internal Systems Administrator
        Apropos Retail Management Systems, Inc.
        <johnh at aproposretail.com>

More information about the list mailing list