|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Worm probes
We're also seeing a large increase in this activity. This seems to be more severe than the first time. Have an additional 30 to 40 meg inbound from this. Best regards, Bryan Heitman CommuniTech.Net, Inc. ----- Original Message ----- From: <[email protected]> To: <[email protected]> Sent: Tuesday, September 18, 2001 10:05 AM Subject: Re: Worm probes > > > ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k > box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this > time of day, although still well short of capacity...apache server > processor load is WAY up just from the requests, and the logs are growing > like mad. > > On Tue, 18 Sep 2001, deeann mikula wrote: > > > > > On Tue, 18 Sep 2001, ravi pina wrote: > > > > > > > > On Tue, Sep 18, 2001 at 09:54:31AM -0400, [email protected] said at one point in time: > > > > > > > > > > > > Has anyone else been seeing a dramatic increase in /scripts/.. NT worm > > > > probes this morning? We're seeing about 8000/second, starting around 9:15 > > > > Eastern time, to and from a wide variety of addresses. > > > > > > affirmative. i just looked at my logs, and it looks like > > > each probe tries a bunch of things. i haven't seen much > > > on the lists, but i'm looking right now. > > > > i'm pretty sure that the worm's attack phase starts on the 20th (which > > of course, depends upon a correctly set system clock) and also that > > attempting to execute something like /scripts/root.ext/c++ something > > is involved. > > > > i think that cert's website would be a good place to look. i'm *not* > > a security/virus chick, but i did host a talk by marty linder of cert > > where he discected code red's activity and presented a summary. > > > > cert is of course, http://www.cert.org. > > > > > > deeann m.m. mikula > > > > director of operations > > telerama public access internet > > http://www.telerama.com > > 1.877.688.3200 > > > > > > > > > > James Smallacombe PlantageNet, Inc. CEO and Janitor > [email protected] http://3.am > ========================================================================= >
|