[Dshield] (Re: Constant Activity) & Code Red
patrick at pine.nl
Sun Aug 5 14:00:51 GMT 2001
On Sat, Aug 04, 2001 at 10:55:16PM -0700, Neil Richardson wrote:
> At 08:49 PM 8/4/2001, you wrote:
> >I am having constant activity for the last day and a half. These logs show
> >the activity for approximately the last five hours. Anyone have an idea.
> Just glancing at the logs, it appears that a lot of machines are knocking
> on your door, trying to access a webserver. If I understand the messages
> from the "general readership," the fact that most seem to be from the same
> subnet would indicate machines running IIS that are now infected with "Code
> Red v2.0" (my name--I don't know the official one).
V2 seems to be less efficient in spreading:
at my stats page at http://www.security.nl/misc/codered-stats/
I had 69803 v1 probes from 54854 distinct hosts, while I had
20225 v2 probes from 3925 distinct hosts.
Patrick Oonk - PO1-6BONE - E: patrick at pine.nl - www.pine.nl/~patrick
Pine Internet - PAT31337-RIPE - Hushmail: p.oonk at my.security.nl
T: +31-70-3111010 - F: +31-70-3111011 - http://security.nl
PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF 2F64 A65C 42AE 155C 3934
Excuse of the day: floating point processor overflow
More information about the list