[rescue] [OT] CodeRed activity?
Adam Kropelin
rescue at sunhelp.org
Sat Aug 4 22:10:58 CDT 2001
At 11:01 PM 8/4/2001 -0400, you wrote:
>Adam observed:
> > Folks, I've been seeing a major increase in CodeRed scans here today (not
> > that Apache cares...) -- about one every 1-2 minutes (to one given IP) as
> > opposed to one an hour up until this afternoon. Looks like the new variant
> > "XXXX" too. Scans exclusively are coming from 24.x.x.x range while
> previous
> > days they came from all over.
>
>Yes.... Except I have XXXXXXXs from other places:
Hmm, I don't have a single scan from outside of 24.0.0.0/8. Perhaps Time
Warner put a filter on the perimeter so all I see are scans generated
internally to the RR network. Dunno.
>I had 315 hits from the initial outbreak. I had about 1100 as of last night.
>As of this e-mail (9:45-ish EST/CDT):
>
>1 jon at corinne:/home/jkatz% grep default.ida /var/adm/*_log | wc -l
> 2978
>
>Wowza! I'm afraid the next round of worms (sircam++/default.ida++) will
>be far more violent/destructive.
From what I read at incidents.org, the new codered variant enables a shell
on the compromised box. Nice touch, that.
Sure is nice that Apache will just 404 the fscking things until the cows
come home.
--Adam
More information about the rescue
mailing list