[Dshield] How Do You Detect Code Red Host Scans

mike harrison meuon at highertech.net
Sun Aug 5 03:08:09 GMT 2001

> There actually *isn't* a scanning phase from what I understand. The worm
> picks an IP address and sends the exploit to port 80, and then moves on to

It looks like a scanning phase when you watch it with a sniffer. 
It's pretty if you are using EtherApe or similiar, easy to sight.
Buts it's just the beginnings of a port 80 connect from what I have
captured and seen. We are seeing a lot more port 80 and other scans. 
ZoneAlarm on my laptop got so noisy I stuck it behind a firewall. 

More information about the list mailing list