[Dshield] Code Red Vers. 1 sightings.

Brad Morgan B-Morgan at concentric.net
Wed Oct 10 00:09:46 GMT 2001


My ZoneAlarm log doesn't differentiate between the various port 80 probes,
but using ZoneLog Analyser, I saw 3 days (2-4 Oct) of light activity (30-35
probes/day) and then it went back to the pre-Nimda "background" of 100-200
probes/day.

For a second there, I thought maybe my ISP (Sprint Broadband Direct) was
making good on their threat to shut off infected computers (which violate
their AUP by running any server, let alone an infected one).

Oh well, I guess I'd better get used to the new "background" level.  I don't
think it will ever go away.

Regards,

Brad

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Johannes B. Ullrich
Sent: Tuesday, October 09, 2001 8:55 AM
To: dshield at dshield.org
Subject: [Dshield] Code Red Vers. 1 sightings.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


After CodeRed shut itself off on Oct. 1st, the door is open again for CRI
to spread. We did already receive a few sightings. However, as there was
almost a week of quiet time, it would be interesting to get the first one.

Please check your web logs and see if they include the typical
signature... here is a sample:

4.18.227.20 - - [07/Oct/2001:10:39:55 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 326

Please only send the earliest few samples you have in your logs from
October. Just send them to me directly (jullrich at dshield.org).

 Thanks!

- --
- -------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7ww/jVOIizK5pIDMRAq9TAKCIXm2E20Lk5CAnpLvOdqC7VuPnnQCeM2N7
Ea9MCs5lPMtJRbC7dXiNySk=
=34BL
-----END PGP SIGNATURE-----

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list