[Dshield] (Re: Constant Activity) & Code Red

Neil Richardson pc_freak at cats.ucsc.edu
Sun Aug 5 05:55:16 GMT 2001

At 08:49 PM 8/4/2001, you wrote:
>I am having constant activity for the last day and a half. These logs show 
>the activity for approximately the last five hours. Anyone have an idea. 

Just glancing at the logs, it appears that a lot of machines are knocking 
on your door, trying to access a webserver.  If I understand the messages 
from the "general readership," the fact that most seem to be from the same 
subnet would indicate machines running IIS that are now infected with "Code 
Red v2.0" (my name--I don't know the official one).

* * * * *

To the general readership: I'd like to see if I correctly understand what 
is being said, and if so, to throw in my $0.02 and see if it makes the 
situation any more clear.

If I understand correctly, the picture currently emerging is that there is 
a Code Red v2.0, that seems to favor walking along the same subnet as the 
infected machine, but will spread to anything if it runs long enough.  If 
this is what people are seeing in their logs, then my $0.02 is a "Me, too" 
based on my own logs: the past few hours have seen a sharp increase in the 
number of probes from machines on my own network.  (Considering this is a 
dial-up ISP, I find it hard to believe that there are *that* many machines 
in my electronic neighborhood that are running W2k and ISS, but I don't 
know how else to interpret the numbers.)  I'm actually getting more HTTP 
probes than SS7 probes--and considering how many SS7 probes I used to get, 
and the fact that I thought most ISS's were patched by now, this whole 
thing has me stumped.

Or am I grossly misunderstanding something?

-Neil R.
Random thought for the day:

    Give a man fire and he will be warm for a day,
    Set a man on fire and he will be warm for the rest of his life.

More information about the list mailing list