[Dshield] Fw: ACID Incident Report
Johannes B. Ullrich
jullrich at sans.org
Tue May 7 22:34:59 GMT 2002
yes. it looks like regular CR and CR is still cycling at the 19th...
This graph I just put together show the drop on the 19th nicely:
On Tue, 7 May 2002, Ed Truitt wrote:
> Jeramie Mesenbring <jmesenbr at fastrodsrus.com> said:
> > Sorry about that folks. I was not ready to send that e-mail yet.
> > Anyway, was wondering if anyone has seen an increase in the default.ida
> > scans today? Also, can someone confirm/denny that this is just a "standard"
> > ida attempt?
> I can't "confirm" that it is in fact a "standard" ida attempt. However, I
> have noticed a huge increase in the number of "Code Red V2" probes in my
> Snort logs recently, and I did notice the reference to www.worm.com in the
> data. IIRC, this was the site that CR was communicating to (it is no longer
> on the 'Net, at least there is no rDNS that I can see.) I looked at the
> eEye analysis of Code Red, and it looks like the data you provided.
> Code Red does appear to have a "cycle", being dormant for awhile, then
> scanning for new hosts to infect (Day 1-19 of the month), then launching a
> DDoS against the former IP of www.whitehouse.gov (Day 20+ of the month),
> then going dormant again.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
More information about the list