[Dshield] Fw: ACID Incident Report

Johannes B. Ullrich jullrich at sans.org
Tue May 7 22:34:59 GMT 2002

yes. it looks like regular CR and CR is still cycling at the 19th...
This graph I just put together show the drop on the 19th nicely:


On Tue, 7 May 2002, Ed Truitt wrote:

> Jeramie Mesenbring <jmesenbr at fastrodsrus.com> said:
> > Sorry about that folks. I was not ready to send that e-mail yet.
> > 
> > Anyway, was wondering if anyone has seen an increase in the default.ida
> > scans today? Also, can someone confirm/denny that this is just a "standard"
> > ida attempt?
> > 
> I can't "confirm" that it is in fact a "standard" ida attempt.  However, I 
> have noticed a huge increase in the number of "Code Red V2" probes in my 
> Snort logs recently, and I did notice the reference to www.worm.com in the 
> data.  IIRC, this was the site that CR was communicating to (it is no longer 
> on the 'Net, at least there is no rDNS that I can see.)  I looked at the 
> eEye analysis of Code Red, and it looks like the data you provided.
> Code Red does appear to have a "cycle", being dormant for awhile, then 
> scanning for new hosts to infect (Day 1-19 of the month), then launching a 
> DDoS against the former IP of www.whitehouse.gov (Day 20+ of the month), 
> then going dormant again.

jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

More information about the list mailing list