[unisog] ida worm

Harris, Michael C. HarrisMC at health.missouri.edu
Thu Jul 19 20:33:58 GMT 2001


yes, we have seen a couple of compromised machines, also seeing
large amounts of (ida) red worm traffic from random address ranges
We have begun blocking port 80 except to known enterprise web 
servers at our border.  I would be interested in what others are 
using to filter network traffic for .ida worm? 

Mike

--------------------------------------------------
Michael C Harris
System Security Analyst 
ITS / Research Education and Support
University of Missouri Health Center


-------------------------------------------------
This e-mail is sent with 99.73% recyclable electrons



-----Original Message-----
From: Russ Harvey [mailto:russ at cornucopia.ucr.edu]
Sent: Thursday, July 19, 2001 2:06 PM
To: unisog at sans.org
Cc: systems at listproc.ucr.edu
Subject: [unisog] ida worm



http://www.eeye.com/html/Research/Advisories/AD20010618.html

We're getting hit with a ton of these, and the source IPs seem all over
the map:

Thu Jul 19 08:33:06    HTTP request from 207.46.239.116: GET
/default.ida?NN...
Thu Jul 19 08:53:17    HTTP request from 211.220.44.29: GET
/default.ida?NN...
Thu Jul 19 09:26:38    HTTP request from 63.237.136.164: GET
/default.ida?NN...
Thu Jul 19 09:33:14    HTTP request from 217.12.96.66: GET
/default.ida?NN...
Thu Jul 19 10:00:43    HTTP request from 210.218.214.10: GET
/default.ida?NN...
Thu Jul 19 10:05:05    HTTP request from 63.165.102.41: GET
/default.ida?NN...
Thu Jul 19 10:40:26    HTTP request from 66.1.160.222: GET
/default.ida?NN...
Thu Jul 19 10:51:14    HTTP request from 61.155.18.78: GET
/default.ida?NN...
Thu Jul 19 10:51:53    HTTP request from 211.173.199.28: GET
/default.ida?NN...
Thu Jul 19 11:01:18    HTTP request from 216.114.79.35: GET
/default.ida?NN...
Thu Jul 19 11:01:57    HTTP request from 209.113.64.211: GET
/default.ida?NN...

Anyone else getting barraged?

Thanks,
--russ

----------------------------------------------------------------------------
---
Russ Harvey                             Internet: russ-harvey at ucr.edu
Dept. of Computing and Communications       uucp: galaxy!russ
Univ. of Calif., Riverside, CA 92521-0142  phone: (909) 787-5617



More information about the unisog mailing list