[Dshield] Fw: ACID Incident Report

Ed Truitt ed.truitt at etee2k.net
Tue May 7 21:48:18 GMT 2002

Jeramie Mesenbring <jmesenbr at fastrodsrus.com> said:

> Sorry about that folks. I was not ready to send that e-mail yet.
> Anyway, was wondering if anyone has seen an increase in the default.ida
> scans today? Also, can someone confirm/denny that this is just a "standard"
> ida attempt?

I can't "confirm" that it is in fact a "standard" ida attempt.  However, I 
have noticed a huge increase in the number of "Code Red V2" probes in my 
Snort logs recently, and I did notice the reference to www.worm.com in the 
data.  IIRC, this was the site that CR was communicating to (it is no longer 
on the 'Net, at least there is no rDNS that I can see.)  I looked at the 
eEye analysis of Code Red, and it looks like the data you provided.

Code Red does appear to have a "cycle", being dormant for awhile, then 
scanning for new hosts to infect (Day 1-19 of the month), then launching a 
DDoS against the former IP of www.whitehouse.gov (Day 20+ of the month), 
then going dormant again.

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew 
on my Web site, with the appropriate color commentary, so that 
others may have a good laugh at your expense."

More information about the list mailing list