[Dshield] RE: Code Red Vers. 1 sightings.
josh at raintreeinc.com
Wed Oct 10 18:51:25 GMT 2001
I've been seeing default.ida?XXXXXXXXXXXXXXX... (code red II, right?)
occasionally lately, but haven't seen cr1's signature in a "long" time.
PS. It is nice that Nimda has died down, isn't it :)
-----BEGIN PGP SIGNED MESSAGE-----
After CodeRed shut itself off on Oct. 1st, the door is open again for CRI to
spread. We did already receive a few sightings. However, as there was almost
a week of quiet time, it would be interesting to get the first one.
Please check your web logs and see if they include the typical signature...
here is a sample:
220.127.116.11 - - [07/Oct/2001:10:39:55 -0400] "GET
HTTP/1.0" 400 326
Please only send the earliest few samples you have in your logs from
October. Just send them to me directly (jullrich at dshield.org).
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
More information about the list