[56833] in North American Network Operators' Group
FW: Code red- Returning?
daemon@ATHENA.MIT.EDU (McBurnett, Jim)
Tue Mar 18 13:41:29 2003
Date: Tue, 18 Mar 2003 13:38:57 -0500
From: "McBurnett, Jim" <jmcburnett@msmgmt.com>
To: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
I think this shouldgo here..
Mistype nanog....
Jim
>-----Original Message-----
>From: Johannes Ullrich [mailto:jullrich@euclidian.com]
>Sent: Tuesday, March 18, 2003 1:10 PM
>To: McBurnett, Jim
>Cc: anog@merit.edu
>Subject: Re: Code red- Returning?
>
>
>
>
>Yes. This month, we are tracking about twice as many sources as usual
>scanning port 80. The likely reason is the release of Code Red=20
>F earlier
>this month.
>
>graph of port 80 activity for the last 2+months:
>ttp://www.dshield.org/port_report.php?port=3D80&days=3D70
>
>
>In addition, there are some spikes in the number of targets=20
>scanned, which
>could be target list acquisitions for the next big thing=20
>(maybe the WebDav
>exploit).
>
>AFAIK, the only difference for Code Red F is that it changed=20
>the 'cut off year'
>at which it will stop scanning. So it probably infected some=20
>machines that due
>to clock settings where not infected by the other versions.=20
>But I haven't had
>a chance to look at it in detail.
>
>
>
>On Tue, 18 Mar 2003 12:50:17 -0500
>"McBurnett, Jim" <jmcburnett@msmgmt.com> wrote:
>
>> Has anyone out there noticed an increase in a Code-Red=20
>patterned virus?
>> I know about the Microsoft bug that came out yesterday/last night.
>> But I am seeing the same symptoms as Code Red,
>> 800+ hits in the last 12 hours, from the same Class A=20
>network I am on.
>> The amount is increasing per hour..
>> It started with 50 the first hour and now it just about 150=20
>an hour...
>>=20
>> Thoughts?
>>=20
>> thanks,
>> Jim
>>=20
>>=20
>>=20
>
>
>--=20
>--------------------------------------------------------------------
>jullrich@euclidian.com Collaborative Intrusion Detection
> join http://www.dshield.org
>
