[21680] in bugtraq
Re(2): 'Code Red' does not seem to be scanning for IIS
daemon@ATHENA.MIT.EDU (Ken Eichman)
Thu Jul 19 20:46:05 2001
Date: Thu, 19 Jul 2001 19:15:32 -0400 (EDT)
From: Ken Eichman <keichman@cas.org>
Message-Id: <0107191915.AA29291@cas.org>
In-Reply-To: <995553B4C2DBD3119BFA0090278A73710B6C29@prbdc.fb.org> of Thu, 19 Jul 2001 17:21:06 -0500
To: Kelly Martin <kellym@fb00.fb.org>, bugtraq@securityfocus.com
Cc: "'Mike Brockman'" <phubuh@home.se>, bugtraq@securityfocus.com
I can correlate what Kelly reports -- *something* happened between 14-1500 GMT
today to drastically increase the number of 'code red' scans/infections. I've
been tracking them since Saturday on my IDS. Our class-b address space appears
to be high up on the worms scanning pattern. For all of 7/18 I recorded probes
from 8247 unique host IP addresses, presumably compromised with 'code red'.
Just during the 1900GMT hour today - one hour of logs - I recorded 'code red'
hits from 115124 different IP addresses. All of these probes are bouncing off
our firewall. The drastic increase in infections/probes began between 1300-
1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT.
Ken Eichman Senior Security Engineer
Chemical Abstracts Service Tel: (614) 447-3838 ext 3230
2540 Olentangy River Road Fax: (614) 447-3855
Columbus, OH 43210 Email: keichman@cas.org
> From: Kelly Martin <kellym@fb00.fb.org>
> To: "'Mike Brockman'" <phubuh@home.se>, bugtraq@securityfocus.com
> Subject: RE: 'Code Red' does not seem to be scanning for IIS
> Date: Thu, 19 Jul 2001 17:21:06 -0500
> Our principal web server (which services some 50-odd virtual domains) has
> taken over 500 hits from "Code Red" worms since around 10am today. It runs
> Apache, so it doesn't present a security risk, but it is tending to annoy
> our already-overloaded network pipe (we have four Class C's squeezed into
> one T1 line). Prior to today at around 11am there is no record in our
> logfiles for that server, which go back to 10 July.
>
> Our servers all started to see hits at about the same time, around 10 am
> central time. Two of them, NT 4.0 SP6a systems with IIS 5, died, one
> repeatedly, before we figured out what was going on. The attacks come from
> widely variable hosts (no discernable pattern). I've tracked nearly a
> thousand hits on our IP block in the past six hours or so with none before
> that, and that doesn't even count the ones that smacked silently against the
> firewall (port 80 is only open through the firewall to hosts that actually
> run public web servers, which is only a tiny fraction of the IPs in the
> block).
>
> My cable modem has also started to get hit today, for the first time as far
> as I know, as has our off-site ecommerce server. I suspect that this is a
> fresh launch, possibly with a modified code base from the original Red Code
> worm.
>
> Kelly Martin
> American Farm Bureau Federation
