[Dshield] Code Red Vers. 1 sightings.
B-Morgan at concentric.net
Wed Oct 10 00:09:46 GMT 2001
My ZoneAlarm log doesn't differentiate between the various port 80 probes,
but using ZoneLog Analyser, I saw 3 days (2-4 Oct) of light activity (30-35
probes/day) and then it went back to the pre-Nimda "background" of 100-200
For a second there, I thought maybe my ISP (Sprint Broadband Direct) was
making good on their threat to shut off infected computers (which violate
their AUP by running any server, let alone an infected one).
Oh well, I guess I'd better get used to the new "background" level. I don't
think it will ever go away.
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Johannes B. Ullrich
Sent: Tuesday, October 09, 2001 8:55 AM
To: dshield at dshield.org
Subject: [Dshield] Code Red Vers. 1 sightings.
-----BEGIN PGP SIGNED MESSAGE-----
After CodeRed shut itself off on Oct. 1st, the door is open again for CRI
to spread. We did already receive a few sightings. However, as there was
almost a week of quiet time, it would be interesting to get the first one.
Please check your web logs and see if they include the typical
signature... here is a sample:
126.96.36.199 - - [07/Oct/2001:10:39:55 -0400] "GET
HTTP/1.0" 400 326
Please only send the earliest few samples you have in your logs from
October. Just send them to me directly (jullrich at dshield.org).
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list