[rescue] [OT] CodeRed activity?
David Cantrell
rescue at sunhelp.org
Sun Aug 5 05:14:13 CDT 2001
Phil Brutsche <pbrutsch at tux.creighton.edu> wrote:
> My ISP isn't doing any filtering;
Nor is mine.
> I'm quite certain you (being on a DSL
> line somehere in 64.0.0.0/8) can get to http://giedi.obix.com (which is
> on my home cable modem).
>
> I think it's more likely that this worm is limiting itself to the /8
> that it finds itself being hosted in.
Demonstrably false:
[david at plough httpd]$ for i in `grep /default.ida\?XXXX www.barnyard.co.uk-access_log |awk '{print $1}'|sort|sort -u`;do echo -n "$i: ";GET http://www.ripe.net/perl/whois?query=$i|grep netname:|sed -e "s/.*netname: *//";done
195.100.166.5: SE-DICOM-DATATUTVECKLING-AB
195.122.213.98: MWVOLNETWORK
195.149.46.76: NILDRAM-ADSLACCOUNTS <--- someone else with my ISP :-)
195.2.188.82: TOPLINK-BACKBONE2-NET
195.202.177.169: AT-KABELSIGNAL-MCNS-MED-1
195.21.27.30: DE-INX-961101
195.230.213.71: MONDONET
195.42.160.103: DATAFORCE-MAIN
203.253.181.253: IANA-BLK <--- APNIC says this is somewhere in Korea
213.155.151.35: UK-WEBASPX
213.83.20.232: NET-SOLUTION
24.202.193.56: IANA-BLK <--- ARIN says this is a Canadian cableco
And my host is 195.149.50.61. So whilst *lots* of them are coming from my
/8, not all of them are. Interestingly, most of those look like European
addresses, so it's certainly not choosing addresses at random. I'll have to
look on sf to see how it's choosing addresses. If I can be bothered. Which
is unlikely.
--
David Cantrell | currently sig-less
More information about the rescue
mailing list