[42597] in North American Network Operators' Group
Re: Worm probes
daemon@ATHENA.MIT.EDU (Hermann Wecke)
Tue Sep 18 12:23:18 2001
Date: Tue, 18 Sep 2001 12:17:06 -0400 (EDT)
From: Hermann Wecke <hermann@rodeios.com>
To: <sigma@pair.com>
Cc: <nanog@merit.edu>
In-Reply-To: <20010918135431.27315.qmail@smx.pair.com>
Message-ID: <Pine.BSF.4.30.0109181208250.26871-100000@cele.pair.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
Yes, I saw...
I just contact our local NIC security guys and they told me that there are
two new worms. One is exploiting the backdoors left by codered 2, and
another worm is (possible) a "codered 3", which is defacing the web pages
with anti-chinese and anti-poisonbox messages...
Today is the day... :-((((
On Tue, 18 Sep 2001 sigma@pair.com wrote:
> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
> probes this morning? We're seeing about 8000/second, starting around 9:15
> Eastern time, to and from a wide variety of addresses.
>
> Is CodeRed or one of its relatives scheduled to start sweeping again today?
> We've never seen this level of traffic related to the NT worms. Even
> though we don't run any NT at all, we still have to suffer :(
>
> Kevin
