[42582] in North American Network Operators' Group
Re: Worm probes
daemon@ATHENA.MIT.EDU (deeann mikula)
Tue Sep 18 10:45:19 2001
Date: Tue, 18 Sep 2001 10:40:07 -0400 (EDT)
From: deeann mikula <deeann@telerama.com>
To: ravi pina <ravi@cow.org>
Cc: <sigma@pair.com>, <nanog@merit.edu>
In-Reply-To: <20010918100122.N48799@happy.cow.org>
Message-ID: <Pine.BSF.4.30.0109181020550.15438-100000@gauntlet.telerama.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 18 Sep 2001, ravi pina wrote:
>
> On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma@pair.com said at one point in time:
> >
> >
> > Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
> > probes this morning? We're seeing about 8000/second, starting around 9:15
> > Eastern time, to and from a wide variety of addresses.
>
> affirmative. i just looked at my logs, and it looks like
> each probe tries a bunch of things. i haven't seen much
> on the lists, but i'm looking right now.
>
i'm pretty sure that the worm's attack phase starts on the 20th (which
of course, depends upon a correctly set system clock) and also that
attempting to execute something like /scripts/root.ext/c++ something
is involved.
i think that cert's website would be a good place to look. i'm *not*
a security/virus chick, but i did host a talk by marty linder of cert
where he discected code red's activity and presented a summary.
cert is of course, http://www.cert.org.
deeann m.m. mikula
director of operations
telerama public access internet
http://www.telerama.com
1.877.688.3200
