[40253] in North American Network Operators' Group
Re: Code Red variants
daemon@ATHENA.MIT.EDU (Jeff Ogden)
Sat Aug 4 22:56:57 2001
Mime-Version: 1.0
Message-Id: <v04210103b79263457937@[198.108.90.150]>
In-Reply-To: <20010804165746.A19622@metron.com>
Date: Sat, 4 Aug 2001 22:48:09 -0400
To: nanog@merit.edu
From: Jeff Ogden <jogden@merit.edu>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Errors-To: owner-nanog-outgoing@merit.edu
Do we know if anyone has looked at the code for variants of the worn
in detail recently? I've seen announcements about new versions with
better random IP address generation. Does anyone know if other
aspects of the worm are the same? Is it still set to spread itself
until the 19th and then switch to attacking the IP address that was
once www1.whitehouse.gov or are their variants with different dates
and different IP address or attack scenarios?
-Jeff
At 4:57 PM -0700 8/4/01, Lou Katz wrote:
>I'm seeing about 2:1 "XXXXXXXXXXXX" vs "NNNNNNNNNNNN" entries in today's logs.
>
>Also, I have over a factor of 20 more entries in Aug than in July.
>
>--
>
>
>-=[L]=-