[Dshield] Code Red Host Scans (and more)

mike harrison meuon at highertech.net
Sun Aug 5 14:54:17 GMT 2001


> them coming from IP's that share the first 2 octets with mine. It looks to
> me like its getting worse, as I have caught 4 more scans while writing this

I also noticed the addressing trend, when I first did my grep default.ida
check of the day, my first reaction was these were all coming from my own
addresses. Having a couple of differently blocked networks:

  66.129.0.0/19      is being scanned MOSTLY by: 66.x.x.x   (approx 80%)

  209.140.48.0/20    is being scanned mostly by: 66.x.x.x   (about  30%)

But then looking closer, is seems that most of these scans are coming from
home.com mediaone.net and rr.com (cable modem providers) as well as a lot
of DSL providers with blocks starting in 66.x.x.x . So I don't
think it's as much a scanning a subnet thing as much as 'this is where
the easily infectable machines are' thing. Lets face it, responsible
people with real machines on fast connections have fixed them. Now we
have all the home and small business systems on cable/dsl/wireless
to deal with. It's still a statistical anomoly, that they seem to be
hitting machines 'close' to them, but maybe not so much of one.

Grep default.ida Log excerpt from 209.140.49.20: 
10/30 lines from 66.x.x.x.x 

h00104bcc503f.ne.mediaone.net - - [04/Aug/2001:19:27:5
clt56-121-173.carolina.rr.com - - [04/Aug/2001:20:41:5
va-66-61-6-37.va.mediaone.net - - [04/Aug/2001:20:52:0
66-61-164-98.mc.cox.rr.com - - [04/Aug/2001:21:03:21 -
211.189.163.5 - - [04/Aug/2001:21:24:51 -0400] "GET /d
cs6625158-94.austin.rr.com - - [04/Aug/2001:21:25:01 -
adsl-64-170-92-66.dsl.lsan03.pacbell.net - - [04/Aug/2
dsl092-121-204.nyc2.dsl.speakeasy.net - - [04/Aug/2001
66-65-42-44.nyc.rr.com - - [04/Aug/2001:22:28:35 -0400
sc-66-27-194-28.socal.rr.com - - [04/Aug/2001:22:30:01
bdsl.66.12.164.218.gte.net - - [04/Aug/2001:22:35:46 -
adsl-66-136-29-37.dsl.hstntx.swbell.net - - [04/Aug/20
cpe-66-1-190-28.ut.sprintbbd.net - - [04/Aug/2001:22:5
dsl-212-135-214-3.dsl.easynet.co.uk - - [04/Aug/2001:2
dsl092-129-035.chi1.dsl.speakeasy.net - - [04/Aug/2001
202.84.11.90 - - [05/Aug/2001:00:40:11 -0400] "GET /de
fw1.quest.com - - [05/Aug/2001:02:37:28 -0400] "GET /d
66-74-204-237.san.rr.com - - [05/Aug/2001:02:41:11 -04
a66b8n136client149.hawaii.rr.com - - [05/Aug/2001:02:5
211.216.28.86 - - [05/Aug/2001:04:16:42 -0400] "GET /d
a66b8n136client149.hawaii.rr.com - - [05/Aug/2001:04:4
206.27.10.142 - - [05/Aug/2001:05:00:50 -0400] "GET /d
210.64.190.12 - - [05/Aug/2001:05:38:25 -0400] "GET /d
128.134.54.38 - - [05/Aug/2001:05:50:23 -0400] "GET /d
paulie.ne.mediaone.net - - [05/Aug/2001:06:36:37 -0400
ac98dd66.ipt.aol.com - - [05/Aug/2001:06:55:00 -0400]
server.theitgroup.ru - - [05/Aug/2001:08:08:01 -0400]
66-65-106-224.nyc.rr.com - - [05/Aug/2001:09:41:47 -04
bak-66-27-229-191.bak.rr.com - - [05/Aug/2001:09:42:38





More information about the list mailing list