[Dshield] How Do You Detect Code Red Host Scans
meuon at highertech.net
Sun Aug 5 03:08:09 GMT 2001
> There actually *isn't* a scanning phase from what I understand. The worm
> picks an IP address and sends the exploit to port 80, and then moves on to
It looks like a scanning phase when you watch it with a sniffer.
It's pretty if you are using EtherApe or similiar, easy to sight.
Buts it's just the beginnings of a port 80 connect from what I have
captured and seen. We are seeing a lot more port 80 and other scans.
ZoneAlarm on my laptop got so noisy I stuck it behind a firewall.
More information about the list