Code Red Hammering Away
Simon Lyall
simon.lyall at ihug.co.nz
Sat Aug 4 21:10:19 UTC 2001
On Sat, 4 Aug 2001, Bob K wrote:
> N's versus X's on a server with a block of 5 IP's as of August 1, 4AM EDT:
>
> 4:53:42pm|melange at host:/home/melange> grep default.ida /var/log/httpd-access.log | grep NNNNN|wc -l
> 436
> 4:53:48pm|melange at host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l
> 6
Checking back the first XXXX one I saw was about 9 hours ago, since then
the number of XXXX and NNNN accesses has been about even. Actually
checking other logs I would say XXX accesses are the majority (over 80%)
in the last 4 or 5 hours.
I would guess a better version, perhaps it deletes the old Code Red copy
when it infects a machine which enables it to grow so fast.
--
Simon Lyall. | Newsmaster | Work: simon.lyall at ihug.co.nz
Senior Network/System Admin | Postmaster | Home: simon at darkmere.gen.nz
ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
More information about the NANOG
mailing list