Ron Johnson <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sunday 05 August 2001 11:20, DM wrote:
> > could this be really CODE RED in action? the worm
> > scans the range of ips of an infected machine and
> > verifies if there are MIIS lying around to conquer. i
> > got a lot of those funny default.idaXXXXXXX something
> > on my apache logs and they are coming from a variety
> > of ip addresses ... of which when i try to check are
> > either saying "hacked by chinese" or "page under
> > construction".
>
> So that's what all those "/default.ida?XXXX" and "/default.ida?NNNN"
> entries in my access_log are...
There's a guy on the phoenix linux user's group mailing list
who has set up a script or soemthing to grab those ip addresses
and make a web page showing who's been hacked by code red. Here's
the result:
http://www.magusnet.com/ids.html
Another guy was keeping track of NEW breakin attempts per hour, and
had a list of them. I think he said 1000 NEW attemps in one day...
Makes you really think that maybe this guy has a valid theory:
http://www.pbs.org/cringely/pulpit/pulpit20010802.html
rc
Rusty E. Carruth Email: [EMAIL PROTECTED] or [EMAIL PROTECTED]
Voice: (480) 345-3621 SnailMail: Schlumberger ATE ___
FAX: (480) 345-8793 7855 S. River Parkway, Suite 116 \e/
Ham: N7IKQ @ 146.82+,pl 162.2 Tempe, AZ 85284-1825 V
ICBM: 33 20' 44"N 111 53' 47"W http://tuxedo.org/~esr/ecsl/index.html
