North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

FW: Code red- Returning?

  • From: McBurnett, Jim
  • Date: Tue Mar 18 13:41:26 2003

I think this shouldgo here..
Mistype nanog....

Jim

>-----Original Message-----
>From: Johannes Ullrich [mailto:[email protected]]
>Sent: Tuesday, March 18, 2003 1:10 PM
>To: McBurnett, Jim
>Cc: [email protected]
>Subject: Re: Code red- Returning?
>
>
>
>
>Yes. This month, we are tracking about twice as many sources as usual
>scanning port 80. The likely reason is the release of Code Red 
>F earlier
>this month.
>
>graph of port 80 activity for the last 2+months:
>ttp://www.dshield.org/port_report.php?port=80&days=70
>
>
>In addition, there are some spikes in the number of targets 
>scanned, which
>could be target list acquisitions for the next big thing 
>(maybe the WebDav
>exploit).
>
>AFAIK, the only difference for Code Red F is that it changed 
>the 'cut off year'
>at which it will stop scanning. So it probably infected some 
>machines that due
>to clock settings where not infected by the other versions. 
>But I haven't had
>a chance to look at it in detail.
>
>
>
>On Tue, 18 Mar 2003 12:50:17 -0500
>"McBurnett, Jim" <[email protected]> wrote:
>
>> Has anyone out there noticed an increase in a Code-Red 
>patterned virus?
>> I know about the Microsoft bug that came out yesterday/last night.
>> But I am seeing the same symptoms as Code Red,
>> 800+ hits in the last 12 hours, from the same Class A 
>network I am on.
>> The amount is increasing per hour..
>> It started with 50 the first hour and now it just about 150 
>an hour...
>> 
>> Thoughts?
>> 
>> thanks,
>> Jim
>> 
>> 
>> 
>
>
>-- 
>--------------------------------------------------------------------
>[email protected]             Collaborative Intrusion Detection
>                                         join http://www.dshield.org
>