[40088] in North American Network Operators' Group
Code Red Scans
daemon@ATHENA.MIT.EDU (Joe Blanchard)
Wed Aug 1 16:04:47 2001
Message-ID: <E9BBE0941932D511934C0002A52CDB4E2D07B3@sj-exchange.wyse.com>
From: Joe Blanchard <jblanchard@wyse.com>
To: nanog@nanog.org
Date: Wed, 1 Aug 2001 13:03:03 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C11AC4.F8F4A7A0"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C11AC4.F8F4A7A0
Content-Type: text/plain
Still seeing tons of traffic scanning for port 80s. Already sent off 4
emails to various .edu s that appear to be infected (several nodes) and one
to Microsoft as well. In a brief listing of nodes my count is greater than
64k of unique IP addys so far.
Hmm, Pretty bad when MS themselves look to be infected. Or maybe there
"testing" something, or someone is spoofing?
> Aug 1 12:37:36: %PIX-3-106010: Deny inbound tcp src
> outside:131.107.112.124/3383 dst inside:xxx.xxx.xxx.xxx/80
> Aug 1 12:37:40: %PIX-3-106010: Deny inbound tcp src
> outside:131.107.112.124/3383 dst inside:xxx.xxx.xxx.xxx/80
> Aug 1 12:40:04: %PIX-3-106010: Deny inbound tcp src
> outside:131.107.190.124/41854 dst inside:xxx.xxx.xxx.xxx/80
> Aug 1 12:40:08: %PIX-3-106010: Deny inbound tcp src
> outside:131.107.190.124/41854 dst inside:xxx.xxx.xxx.xxx/80
> Aug 1 12:40:39: %PIX-3-106010: Deny inbound tcp src
> outside:131.107.86.103/4167 dst inside:xxx.xxx.xxx.xxx/80
> Aug 1 12:41:52: %PIX-3-106010: Deny inbound tcp src
> outside:131.107.112.124/4367 dst inside:xxx.xxx.xxx.xxx/80
> Aug 1 12:42:00: %PIX-3-106010: Deny inbound tcp src
> outside:131.107.112.124/4367 dst inside:xxx.xxx.xxx.xxx/80
> Aug 1 12:43:02: %PIX-3-106010: Deny inbound tcp src
> outside:131.107.90.67/3667 dst inside:xxx.xxx.xxx.xxx/80
>
>
>
Microsoft Corporation (NET-MICROSOFT)
One Redmond Way
Redmond, WA 98052
US
Netname: MICROSOFT
Netblock: 131.107.0.0 - 131.107.255.255
Coordinator:
Microsoft (ZM39-ARIN) noc@microsoft.com
-Joe
------_=_NextPart_001_01C11AC4.F8F4A7A0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>Code Red Scans</TITLE>
</HEAD>
<BODY>
<BR>
<P><FONT FACE=3D"Arial">Still seeing tons of traffic scanning for port =
80s. Already sent off 4 emails to various .edu s that appear to be =
infected (several nodes) and one to Microsoft as well. In a brief =
listing of nodes my count is greater than 64k of unique IP addys so =
far.</FONT></P>
<P><FONT FACE=3D"Arial">Hmm, Pretty bad when MS themselves look to be =
infected. Or maybe there "testing" something, or someone is =
spoofing?</FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Arial">Aug 1 12:37:36: %PIX-3-106010: =
Deny inbound tcp src outside:131.107.112.124/3383 dst =
inside:</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">xxx.xxx.xxx.xxx</FONT><FONT SIZE=3D2 FACE=3D"Arial">/80 =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Aug 1 12:37:40: %PIX-3-106010: =
Deny inbound tcp src outside:131.107.112.124/3383 dst =
inside:</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">xxx.xxx.xxx.xxx</FONT><FONT SIZE=3D2 FACE=3D"Arial">/80 =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Aug 1 12:40:04: %PIX-3-106010: =
Deny inbound tcp src outside:131.107.190.124/41854 dst =
inside:</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">xxx.xxx.xxx.xxx</FONT><FONT SIZE=3D2 FACE=3D"Arial">/80 =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Aug 1 12:40:08: %PIX-3-106010: =
Deny inbound tcp src outside:131.107.190.124/41854 dst =
inside:</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">xxx.xxx.xxx.xxx</FONT><FONT SIZE=3D2 FACE=3D"Arial">/80 =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Aug 1 12:40:39: %PIX-3-106010: =
Deny inbound tcp src outside:131.107.86.103/4167 dst =
inside:</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">xxx.xxx.xxx.xxx</FONT><FONT SIZE=3D2 FACE=3D"Arial">/80 =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Aug 1 12:41:52: %PIX-3-106010: =
Deny inbound tcp src outside:131.107.112.124/4367 dst =
inside:</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">xxx.xxx.xxx.xxx</FONT><FONT SIZE=3D2 FACE=3D"Arial">/80 =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Aug 1 12:42:00: %PIX-3-106010: =
Deny inbound tcp src outside:131.107.112.124/4367 dst =
inside:</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">xxx.xxx.xxx.xxx</FONT><FONT SIZE=3D2 FACE=3D"Arial">/80 =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Aug 1 12:43:02: %PIX-3-106010: =
Deny inbound tcp src outside:131.107.90.67/3667 dst inside:</FONT><FONT =
COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">xxx.xxx.xxx.xxx</FONT><FONT =
SIZE=3D2 FACE=3D"Arial">/80 </FONT>
</P>
<BR>
<BR>
<UL>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Microsoft Corporation =
(</FONT><U><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier =
New">NET-MICROSOFT</FONT></U><FONT SIZE=3D2 FACE=3D"Courier =
New">)</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New"> One Redmond =
Way</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New"> Redmond, WA =
98052</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New"> US</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New"> Netname: =
MICROSOFT</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New"> =
Netblock:</FONT><U> <FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier =
New">131.107.0.0</FONT></U><FONT SIZE=3D2 FACE=3D"Courier New"> =
-</FONT><U> <FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier =
New">131.107.255.255</FONT></U>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New"> Coordinator:</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New"> =
Microsoft (</FONT><U><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Courier New">ZM39-ARIN</FONT></U><FONT SIZE=3D2 FACE=3D"Courier =
New">) noc@microsoft.com</FONT>
</P>
<BR>
<BR>
<BR>
</UL>
<P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">-Joe</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C11AC4.F8F4A7A0--
