[Dshield] Fw: ACID Incident Report
ed.truitt at etee2k.net
Tue May 7 21:48:18 GMT 2002
Jeramie Mesenbring <jmesenbr at fastrodsrus.com> said:
> Sorry about that folks. I was not ready to send that e-mail yet.
> Anyway, was wondering if anyone has seen an increase in the default.ida
> scans today? Also, can someone confirm/denny that this is just a "standard"
> ida attempt?
I can't "confirm" that it is in fact a "standard" ida attempt. However, I
have noticed a huge increase in the number of "Code Red V2" probes in my
Snort logs recently, and I did notice the reference to www.worm.com in the
data. IIRC, this was the site that CR was communicating to (it is no longer
on the 'Net, at least there is no rDNS that I can see.) I looked at the
eEye analysis of Code Red, and it looks like the data you provided.
Code Red does appear to have a "cycle", being dormant for awhile, then
scanning for new hosts to infect (Day 1-19 of the month), then launching a
DDoS against the former IP of www.whitehouse.gov (Day 20+ of the month),
then going dormant again.
PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
More information about the list