FW: Code red- Returning?
McBurnett, Jim
jmcburnett at msmgmt.com
Tue Mar 18 18:38:57 UTC 2003
I think this shouldgo here..
Mistype nanog....
Jim
>-----Original Message-----
>From: Johannes Ullrich [mailto:jullrich at euclidian.com]
>Sent: Tuesday, March 18, 2003 1:10 PM
>To: McBurnett, Jim
>Cc: anog at merit.edu
>Subject: Re: Code red- Returning?
>
>
>
>
>Yes. This month, we are tracking about twice as many sources as usual
>scanning port 80. The likely reason is the release of Code Red
>F earlier
>this month.
>
>graph of port 80 activity for the last 2+months:
>ttp://www.dshield.org/port_report.php?port=80&days=70
>
>
>In addition, there are some spikes in the number of targets
>scanned, which
>could be target list acquisitions for the next big thing
>(maybe the WebDav
>exploit).
>
>AFAIK, the only difference for Code Red F is that it changed
>the 'cut off year'
>at which it will stop scanning. So it probably infected some
>machines that due
>to clock settings where not infected by the other versions.
>But I haven't had
>a chance to look at it in detail.
>
>
>
>On Tue, 18 Mar 2003 12:50:17 -0500
>"McBurnett, Jim" <jmcburnett at msmgmt.com> wrote:
>
>> Has anyone out there noticed an increase in a Code-Red
>patterned virus?
>> I know about the Microsoft bug that came out yesterday/last night.
>> But I am seeing the same symptoms as Code Red,
>> 800+ hits in the last 12 hours, from the same Class A
>network I am on.
>> The amount is increasing per hour..
>> It started with 50 the first hour and now it just about 150
>an hour...
>>
>> Thoughts?
>>
>> thanks,
>> Jim
>>
>>
>>
>
>
>--
>--------------------------------------------------------------------
>jullrich at euclidian.com Collaborative Intrusion Detection
> join http://www.dshield.org
>
More information about the NANOG
mailing list