[Dshield] How Do You Detect Code Red Host Scans

Paul Hustava hinshara at mindspring.com
Sun Aug 5 15:01:50 GMT 2001


There are scans to port 80 now. Do they have anything to do with this newer
Code Red (XXXX's)?, my brain says yes, but these do not seem to arrive in a
pattern which is related in any way to the 'GET /' commands I have been
getting.

They are SYN packets in groups of 3, each of the 3 coming in anywhere from 3 to
7 seconds apart. The vast majority are coming from my netblock, just as the
latest Code Red's 'GET' pattern. I got my first one on Aug-04 at 10:48 CDT from
63.52.239.200. I got my first XXXXX style 'GET' comand at 08:46 CDT exactly 2
hours before the rest started flooding in. The 08:46 hit may have been a bad TZ
setting on the remote host.

I hope to see some of this aggregated data which is being collected. I'd be
interested in seeing infection patterns by netblock, SYN patterns & separate
histograms for each variant.

I still think it's possible that we are only in the initial 'install phase'
here.

What really pisses me off is these CNET type sites that went ahead and released
their canned "what a letdown" articles just hours before the fun really
started. That was not a good thing. It caused a lot of people to let down their
guard.




More information about the list mailing list