North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: CodeRedII worm..
At 11:15 AM 8/5/01, you wrote: > > worm creates a known backdoor. I'm certain that both the CodeRedII authorDetecting hosts infected with CodeRed which are spewing requests is simple. Set up an Apache server, then scan the logs for "default.ida" in requests. Since Apache doesn't use such nonsense itself, they are Code Red requests. Probably 50% of the CodeRed noise I'm seeing comes from hosts without INADDR, nearly all of the remainder is DSL, cable modem and dialup machines. So far, I've only recorded ONE www.<something>.com server sending requests to my servers. I expect this month's round of Code Red floods (when the infected machines turn to DDoS mode) to be coming from home user machines. It's going to be a LOT harder to deal with these than it was with servers on corporate or colo networks. ----------------------------------------------------------------- Daniel Senie [email protected] Amaranth Networks Inc. http://www.amaranth.com
|