[rescue] [OT] CodeRed activity?
Jonathan Katz
rescue at sunhelp.org
Sat Aug 4 22:01:38 CDT 2001
Adam observed:
> Folks, I've been seeing a major increase in CodeRed scans here today (not
> that Apache cares...) -- about one every 1-2 minutes (to one given IP) as
> opposed to one an hour up until this afternoon. Looks like the new variant
> "XXXX" too. Scans exclusively are coming from 24.x.x.x range while previous
> days they came from all over.
Yes.... Except I have XXXXXXXs from other places:
209.249.9.232.ecapital.com - - [04/Aug/2001:18:22:47 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 316 "-" "-"
I had 315 hits from the initial outbreak. I had about 1100 as of last night.
As of this e-mail (9:45-ish EST/CDT):
1 jon at corinne:/home/jkatz% grep default.ida /var/adm/*_log | wc -l
2978
Wowza! I'm afraid the next round of worms (sircam++/default.ida++) will
be far more violent/destructive.
-Jon
More information about the rescue
mailing list