[40242] in North American Network Operators' Group
Re: Code Red Hammering Away
daemon@ATHENA.MIT.EDU (Simon Lyall)
Sat Aug 4 17:11:29 2001
Date: Sun, 5 Aug 2001 09:10:19 +1200 (NZST)
From: Simon Lyall <simon.lyall@ihug.co.nz>
To: Bob K <melange@yip.org>
Cc: <nanog@merit.edu>
In-Reply-To: <Pine.BSF.4.21.0108041654100.66103-100000@pi.yip.org>
Message-ID: <Pine.LNX.4.30.0108050903140.5347-100000@boggle.ihug.co.nz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 4 Aug 2001, Bob K wrote:
> N's versus X's on a server with a block of 5 IP's as of August 1, 4AM EDT:
>
> 4:53:42pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep NNNNN|wc -l
> 436
> 4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l
> 6
Checking back the first XXXX one I saw was about 9 hours ago, since then
the number of XXXX and NNNN accesses has been about even. Actually
checking other logs I would say XXX accesses are the majority (over 80%)
in the last 4 or 5 hours.
I would guess a better version, perhaps it deletes the old Code Red copy
when it infects a machine which enables it to grow so fast.
--
Simon Lyall. | Newsmaster | Work: simon.lyall@ihug.co.nz
Senior Network/System Admin | Postmaster | Home: simon@darkmere.gen.nz
ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
