[Dshield] (Re: Constant Activity) & Code Red

Patrick Oonk patrick at pine.nl
Sun Aug 5 14:00:51 GMT 2001


On Sat, Aug 04, 2001 at 10:55:16PM -0700, Neil Richardson wrote:
> At 08:49 PM 8/4/2001, you wrote:
> >I am having constant activity for the last day and a half. These logs show 
> >the activity for approximately the last five hours. Anyone have an idea. 
> >Thanks.
> 
> Just glancing at the logs, it appears that a lot of machines are knocking 
> on your door, trying to access a webserver.  If I understand the messages 
> from the "general readership," the fact that most seem to be from the same 
> subnet would indicate machines running IIS that are now infected with "Code 
> Red v2.0" (my name--I don't know the official one).

V2 seems to be less efficient in spreading:

at my stats page at http://www.security.nl/misc/codered-stats/
I had 69803 v1 probes from 54854 distinct hosts, while I had
20225 v2 probes from 3925 distinct hosts.

	Patrick

-- 
 Patrick Oonk - PO1-6BONE - E: patrick at pine.nl - www.pine.nl/~patrick
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk at my.security.nl
 T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: floating point processor overflow




More information about the list mailing list