North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Worm probes
indeed. scanning for strings that appear to be associated with the Concept Virus(CV) V.5, there is a tremendous increase in bandwidth usage. today alone i match: /scripts: 18013 /_vti_bin: 1885 _mem_bin: 1916 /ms_adc/: 1945 /winnt/system32: 27648 bugtraq is starting to get in the preliminary reports of this worm. beware that infected host's home pages contain a javascript that sends you to a page that attempts to send you a copy of the worm. fantastic, eh? -r On Tue, Sep 18, 2001 at 11:05:35AM -0400, [email protected] said at one point in time: > > > ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k > box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this > time of day, although still well short of capacity...apache server > processor load is WAY up just from the requests, and the logs are growing > like mad. > > On Tue, 18 Sep 2001, deeann mikula wrote: > > > > > On Tue, 18 Sep 2001, ravi pina wrote: > > > > > > > > On Tue, Sep 18, 2001 at 09:54:31AM -0400, [email protected] said at one point in time: > > > > > > > > > > > > Has anyone else been seeing a dramatic increase in /scripts/.. NT worm > > > > probes this morning? We're seeing about 8000/second, starting around 9:15 > > > > Eastern time, to and from a wide variety of addresses. > > > > > > affirmative. i just looked at my logs, and it looks like > > > each probe tries a bunch of things. i haven't seen much > > > on the lists, but i'm looking right now. > > > > i'm pretty sure that the worm's attack phase starts on the 20th (which > > of course, depends upon a correctly set system clock) and also that > > attempting to execute something like /scripts/root.ext/c++ something > > is involved. > > > > i think that cert's website would be a good place to look. i'm *not* > > a security/virus chick, but i did host a talk by marty linder of cert > > where he discected code red's activity and presented a summary. > > > > cert is of course, http://www.cert.org. > > > > > > deeann m.m. mikula > > > > director of operations > > telerama public access internet > > http://www.telerama.com > > 1.877.688.3200 > > > > > > > > > > James Smallacombe PlantageNet, Inc. CEO and Janitor > [email protected] http://3.am > ========================================================================= -- echo "send pgp key" | mail [email protected] ; [email protected]:/home/ravi# rm -rf /bin/laden "Now I don't want you to worry, class. These tests will have no effect on your grades. They merely determine your future social status and financial success. If any." -- Mrs. Krabappel
|