Re: [SLUG] Insight on Code Red II

From: billt (billt@ifelse.org)
Date: Tue Aug 07 2001 - 08:52:39 EDT


On Mon, Aug 06, 2001 at 09:30:44PM -0400, Kai Lien wrote:

> Another insight is the number of tampabay.rr hostnames in
> the log. My logs are stored in a MySQL db. I use select
> distinct IP where hostname like '%tampabay%' to filter out
> the list. There were close to 60 distinct IPs with tampabay
> hostname. Not too bad for tampabay area. From my own
> numbers, less than 5% of all attack are from the tampabay.rr
> domain.

Code Red II tends to stick to it's own ip address block when
when scanning. i forget the actua numbers, but it does explain
why many of the attempts i get are from the same 24.88/16
addresses.

I set up apache on my home machine to count the attempts. What
is interesting is that within 10 seconds of starting apache and
tail -f'ing the access_log, i had 1 attempt. Now suppose I was
setting up a Win 2000 machine from the install CD. Chances are
I (and probably most new installs) would be infected before they
have a chance to patch the system.

Hopefully, the MS supplied patch un-does the exploitable
root.exe mess left behind. If not, this is big trouble.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:48:09 EDT