[unisog] ida worm

netadmin at humboldt.edu netadmin at humboldt.edu
Thu Jul 19 22:56:34 GMT 2001


Since this scan creates a nuisance-- ARP (broadcast) replies on 
the LAN side of our gateway, we've had to block all but a select list 
of TCP port 80 machines on our inbound gateway. The broadcasts 
were becoming way more than we could handle, and this has 
quited things down for now. Be interesting to see how long it takes 
for this whole worm problem to die down... Until, then we'll have to 
live with this "temporary" access control list.
Ben Curran

On 19 Jul 2001, at 13:08, Peter Van Epp wrote:

>  Yep, I have reduced the load by 8 or 10 machines already today :-) I
> created a perl script that scans the argus logs looking for the number
> of accesses to offsite web sites. Machines in the thousands to 10s of
> thousands of hits on different sites get a closer look and then taken
> off the net (because they are infected with the red worm). I don't
> know how many are hitting me because I didn't look (having enough
> trouble with my machines being able to get out to other people :-)). I
> expect this will find all instances (or at least most of them) of IIS
> on our campus ...
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> > 
> > 
> > http://www.eeye.com/html/Research/Advisories/AD20010618.html
> > 
> > We're getting hit with a ton of these, and the source IPs seem all
> > over the map:
> > 
> > Thu Jul 19 08:33:06    HTTP request from 207.46.239.116: GET
> > /default.ida?NN... Thu Jul 19 08:53:17    HTTP request from
> > 211.220.44.29: GET /default.ida?NN... Thu Jul 19 09:26:38    HTTP
> > request from 63.237.136.164: GET /default.ida?NN... Thu Jul 19
> > 09:33:14    HTTP request from 217.12.96.66: GET /default.ida?NN...
> > Thu Jul 19 10:00:43    HTTP request from 210.218.214.10: GET
> > /default.ida?NN... Thu Jul 19 10:05:05    HTTP request from
> > 63.165.102.41: GET /default.ida?NN... Thu Jul 19 10:40:26    HTTP
> > request from 66.1.160.222: GET /default.ida?NN... Thu Jul 19
> > 10:51:14    HTTP request from 61.155.18.78: GET /default.ida?NN...
> > Thu Jul 19 10:51:53    HTTP request from 211.173.199.28: GET
> > /default.ida?NN... Thu Jul 19 11:01:18    HTTP request from
> > 216.114.79.35: GET /default.ida?NN... Thu Jul 19 11:01:57    HTTP
> > request from 209.113.64.211: GET /default.ida?NN...
> > 
> > Anyone else getting barraged?
> > 
> > Thanks,
> > --russ
> > 
> > --------------------------------------------------------------------
> > ----------- Russ Harvey                             Internet:
> > russ-harvey at ucr.edu Dept. of Computing and Communications      
> > uucp: galaxy!russ Univ. of Calif., Riverside, CA 92521-0142  phone:
> > (909) 787-5617
> > 
> 
> 


Network Specialist
Humboldt State University
c/o Communications & Network Services
1 Harpst St. Arcata, CA 95521
Phone: (707)826-5000
FAX: (707)826-6161
Email: bdc1 at humboldt.edu
Sure I'll buy the Internet. How 'bout a trade... 
My mousepad?



More information about the unisog mailing list