[Dshield] Code Red rising sharply again

Sean Graham seangra at yahoo.com
Tue Aug 28 20:48:28 GMT 2001

At 02:55 PM 8/28/2001 -0400, you wrote:
> > As you can see at our Code red stats at
> > http://www.security.nl/misc/codered-stats/,
> > the number of probes is rising sharply.
(shameful plug) ;)

> >
> > Fear not! as this is most probably Codered.d
> > re-infecting machines from people living
> > under a rock or two.
>1. School is back in session. Lots of kids that did not previously
>    have access to fast 'net connections, and have new PC's.

I thought school started in September...?  I would also assume that savvy 
universities would block incoming 21/80 port access, even before code red 
came out.  But even if not, IIS is installed on Servers and computers that 
you explicitly install "Personal Web Server" on.  I would assume that most 
new PCs (well, most new PCs probably don't have 2K installed, probably have 
ME), if they had 2K installed, wouldn't have Personal web server 
installed.  I would doubt that this would be a major cause of the uprise 
again.  I could be wrong.

>2. We are also seeing new scans that seem to be brute force
>    login attempts on porn sites. One client at a school
>    showed several machines attacking similiar sites.
>    This may be a worm, it may be a program run intentionally.
>    We'll find out soon...

What exactly do you mean by this?  Infected CodeRed machines attacking porn 
sites?  How do you know that these sites are being attacked?

>      --Mike--
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 

Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

More information about the list mailing list