[Dshield] Code Red 1 - Yawn. - Thank You Dshield!

Scott Johnson scott at advancedtool.com
Mon Aug 20 11:39:46 GMT 2001


nexgo.de.eu.dal.net is a european chat server which is part of the dal.net 
(DalNet) group of IRC servers.  In this particular instance, blaming Code 
Red (I or II) may or may not be premature.  Sub 7 and several other problem 
children have also made dal.net their targets of attacks.  Being that this 
server has supposedly been patched, you may want your client to look at 
other problems.

As an IRC technical administrator on another IRC (chat) network that is 
much, much smaller we see our share of these attacks as well.  Most of 
these are from Sub 7 that managed to get onto the network using other IIS 
holes.  In our experiences the quickest way to determine if this machine 
has a problem with sub7 or some of the other distributed denial of service 
trojans, a simple netstat -a on the server does the trick.  If you see 
oddball connections to ports in the 6660-7000 range to networks you're not 
familiar with.. more than likely it's a sub 7(et al) clone.

Scott Johnson



At 02:53 AM 08/19/2001 -0400, you wrote:


>  targets: 65.161.40.42  65.161.40.142 202.188.117.222 nexgo.de.eu.dal.net




More information about the list mailing list