[unisog] ida worm

Peter Van Epp vanepp at sfu.ca
Thu Jul 19 20:08:02 GMT 2001


	Yep, I have reduced the load by 8 or 10 machines already today :-)
I created a perl script that scans the argus logs looking for the number
of accesses to offsite web sites. Machines in the thousands to 10s of thousands
of hits on different sites get a closer look and then taken off the net 
(because they are infected with the red worm). I don't know how many are 
hitting me because I didn't look (having enough trouble with my machines being 
able to get out to other people :-)). I expect this will find all instances
(or at least most of them) of IIS on our campus ...

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> 
> http://www.eeye.com/html/Research/Advisories/AD20010618.html
> 
> We're getting hit with a ton of these, and the source IPs seem all over
> the map:
> 
> Thu Jul 19 08:33:06    HTTP request from 207.46.239.116: GET /default.ida?NN...
> Thu Jul 19 08:53:17    HTTP request from 211.220.44.29: GET /default.ida?NN...
> Thu Jul 19 09:26:38    HTTP request from 63.237.136.164: GET /default.ida?NN...
> Thu Jul 19 09:33:14    HTTP request from 217.12.96.66: GET /default.ida?NN...
> Thu Jul 19 10:00:43    HTTP request from 210.218.214.10: GET /default.ida?NN...
> Thu Jul 19 10:05:05    HTTP request from 63.165.102.41: GET /default.ida?NN...
> Thu Jul 19 10:40:26    HTTP request from 66.1.160.222: GET /default.ida?NN...
> Thu Jul 19 10:51:14    HTTP request from 61.155.18.78: GET /default.ida?NN...
> Thu Jul 19 10:51:53    HTTP request from 211.173.199.28: GET /default.ida?NN...
> Thu Jul 19 11:01:18    HTTP request from 216.114.79.35: GET /default.ida?NN...
> Thu Jul 19 11:01:57    HTTP request from 209.113.64.211: GET /default.ida?NN...
> 
> Anyone else getting barraged?
> 
> Thanks,
> --russ
> 
> -------------------------------------------------------------------------------
> Russ Harvey                             Internet: russ-harvey at ucr.edu
> Dept. of Computing and Communications       uucp: galaxy!russ
> Univ. of Calif., Riverside, CA 92521-0142  phone: (909) 787-5617
> 



More information about the unisog mailing list