[rescue] New worm?
Greg A. Woods
rescue at sunhelp.org
Wed Sep 19 21:43:48 CDT 2001
[ On Wednesday, September 19, 2001 at 21:30:31 (-0400), Patrick Giagnocavo wrote: ]
> Subject: Re: [rescue] New worm?
>
> Definitely, one of my servers got over 3400 hits on this as of last
> night; I didn't even check this later, but I am sure it is higher.
You must live in a pretty bad neighbourhood, network wise! ;-)
(from what ``we'' know so far the thing repeatedly scans the /16
netblock of the infected host. Some parts of 24.0.0.0/8 were more or
less unusable at the peak times yesterday....)
22:17 [2032] $ fgrep MSADC/root.exe /var/log/httpd/access_log | wc -l
2391
22:28 [2033] $ fgrep MSADC/root.exe /var/log/httpd/access_log | awk '{print $2}' | sort -u | wc -l
492
(my log file starts early on Saturday sometime)
My @Home interface on my firewall (which does not run anything on
port-80) logs report (also starting early on Sat. sometime):
$ fgrep 24.42.191.4,80 /var/log/ipfilter.0 /var/log/ipfilter | wc -l
5328
$ fgrep 24.42.191.4,80 /var/log/ipfilter.0 /var/log/ipfilter | awk '{print $10}' | sed 's/,.*$//' | sort -u | wc -l
547
and for the DSL port:
$ fgrep 216.138.200.154,80 /var/log/ipfilter.0 /var/log/ipfilter | wc -l
2377
$ fgrep 216.138.200.154,80 /var/log/ipfilter.0 /var/log/ipfilter | awk '{print $10}' | sed 's/,.*$//' | sort -u | wc -l
500
Hmmm.... 1047 idiot direct neighbours so far and almost another 500
idiot network neighbours too.... idiots. I have no sympathy.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods at acm.org> <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>
More information about the rescue
mailing list