[Dshield] (Re: Constant Activity) & Code Red
pc_freak at cats.ucsc.edu
Sun Aug 5 05:55:16 GMT 2001
At 08:49 PM 8/4/2001, you wrote:
>I am having constant activity for the last day and a half. These logs show
>the activity for approximately the last five hours. Anyone have an idea.
Just glancing at the logs, it appears that a lot of machines are knocking
on your door, trying to access a webserver. If I understand the messages
from the "general readership," the fact that most seem to be from the same
subnet would indicate machines running IIS that are now infected with "Code
Red v2.0" (my name--I don't know the official one).
* * * * *
To the general readership: I'd like to see if I correctly understand what
is being said, and if so, to throw in my $0.02 and see if it makes the
situation any more clear.
If I understand correctly, the picture currently emerging is that there is
a Code Red v2.0, that seems to favor walking along the same subnet as the
infected machine, but will spread to anything if it runs long enough. If
this is what people are seeing in their logs, then my $0.02 is a "Me, too"
based on my own logs: the past few hours have seen a sharp increase in the
number of probes from machines on my own network. (Considering this is a
dial-up ISP, I find it hard to believe that there are *that* many machines
in my electronic neighborhood that are running W2k and ISS, but I don't
know how else to interpret the numbers.) I'm actually getting more HTTP
probes than SS7 probes--and considering how many SS7 probes I used to get,
and the fact that I thought most ISS's were patched by now, this whole
thing has me stumped.
Or am I grossly misunderstanding something?
Random thought for the day:
Give a man fire and he will be warm for a day,
Set a man on fire and he will be warm for the rest of his life.
More information about the list