I have noticed a new entry in the apache access logs as follows.
Also the CR2 accesses have dropped off to almost zero.
210.204.88.105 - - [09/Aug/2001:14:54:44 +1000] "-" 408 -
210.72.200.39 - - [09/Aug/2001:15:04:31 +1000] "-" 408 -
210.182.140.14 - - [09/Aug/2001:15:05:15 +1000] "-" 408 -
210.1
On Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths wrote:
> Code Reds Mark II and III have already been identified,
Where can I find information on CR3?
--
With the arrest of Dimitry Sklyarov it has become apparent that it is not
safe for non US software engineers to visit the United State
On Mon, Aug 06, 2001 at 12:43:57PM -0600, John Galt wrote:
> CR2 is actually seeming to have a twist in it's IP picker that weights it
> to the subnets where cable/dsl users are the rule.
According to incidents.org, the weighting is actually set up to favor
the local subnets. It only pounds cable
I just had a look at another site I look after.
It appears from the apache logs that Code Red has not hitting there since
5th August, yet web requests are getting through.
It is being filterred ate the ISP level.
Ian
On Mon, 6 Aug 2001, Chris Niekel wrote:
>On Sun, Aug 05, 2001 at 07:02:35PM -0600, John Galt wrote:
>> [...]
>> CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a
>> pseudo-r00tkit. If the IIS admins didn't learn the first time, they got
>> screwed hardcore the second. Not ev
On Sun, Aug 05, 2001 at 07:02:35PM -0600, John Galt wrote:
> [...]
> CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a
> pseudo-r00tkit. If the IIS admins didn't learn the first time, they got
> screwed hardcore the second. Not even a reacharound this time.
I get hit every 2
>
>There has definately been a change in the original form of the attacks from
># GET /default.ida?N -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0
>to
># GET /default.ida?X -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0
>The second packet is also much shorter (with less X's), although the tail is
>t
after reading that "apparently" the latest code red attacks are coming from
unsuspecting users of that utimate computer virus, i decided to scan the
access log file and send messages to the "best guess" person at the owner of
the ip address (usually a dial-up provider).
i modified the script by
> -Original Message-
> From: Alan Shutko [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 03, 2001 11:18 PM
> To: debian-user@lists.debian.org
> Subject: Re: code red goes on
>
>
> "Karsten M. Self" writes:
>
> > Anyone noting tren
At 05:51 PM 8/5/01 -0700, Karsten M. Self wrote:
>on Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths ([EMAIL PROTECTED])
>wrote:
>
>> Code Reds Mark II and III have already been identified, doing much
>> more maicious things and spreading with better randomisation
>>
>> Hopefully a "cheese
On Mon, 6 Aug 2001, Ian Perry wrote:
>
>
>> -Original Message-
>> From: Alan Shutko [mailto:[EMAIL PROTECTED]
>> Sent: Friday, August 03, 2001 11:18 PM
>> To: debian-user@lists.debian.org
>> Subject: Re: code red goes on
>>
>>
>> &
on Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths ([EMAIL PROTECTED])
wrote:
> Code Reds Mark II and III have already been identified, doing much
> more maicious things and spreading with better randomisation
>
> Hopefully a "cheese worm" equivalent will be relased to stomp on this
> befo
On Fri, Aug 03, 2001 at 12:29:05AM -0500, ktb wrote:
> From what little I have read about it the site in question is defaced
> if it is a page containing English. I'm sure someone who has payed more
> attention could list exactly what it does.
After infecting a system with U.S. English as the de
On Fri, Aug 03, 2001 at 05:30:12PM +, John Griffiths wrote:
> on the 20th of the months the infected machines are all going to launch a
> denial of service attack at a web-server somewhere (last time was the IP
> address of the whitehouse but that mor, or may not, have changed)
I have it fro
Thanks for the responses...
Hehehe... I changed an NT 4.0 Server to a REAL server about
2 months ago... (Potato r3) ... put in apache, samba etc.
I think it was using MS II...(is that what NT uses?)
I'm not sure though...
I know very little about NT... I guess thats why I changed it
to something
"Karsten M. Self" writes:
> Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49,
> respectively. Looks like this is actually the bigger attack.
http://www.incidents.org says that we've already gotten more infected
machines than July 20th, although probes seem to have leveled off.
I'v
At 12:27 AM 8/3/01 -0700, Mike Egglestone wrote:
>Hi..
>
>I grepped my access logs and noticed the "default.ida? etc etc..
>
>What does this mean?
>Have I been attacked? or was it an attemped attack?
>
>What exactly does the virus do to the system?
>
>Thanks
>Mike
>
If your run unpatched MS we
Hi..
I grepped my access logs and noticed the "default.ida? etc etc..
What does this mean?
Have I been attacked? or was it an attemped attack?
What exactly does the virus do to the system?
Thanks
Mike
Quoting Matthias Richter <[EMAIL PROTECTED]>:
> ktb wrote on Fri Aug 03, 2001 at 12:29:
ktb wrote on Fri Aug 03, 2001 at 12:29:05AM:
> On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote:
> > ...gives a hostlist. Anyone know of a central repository who might be
> > collecting same and sending LARTs to the appropriate sysops?
http://www.dshield.org/codered.html> are coll
Karsten M. Self wrote:
> Hmmm:
>
> grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}'
>
> ...gives a hostlist. Anyone know of a central repository who might be
> collecting same and sending LARTs to the appropriate sysops? Or is that
> a complete [EMAIL PROTECTED]&*() waste
>> >
>> >
>> > if you grep your http access log for "default.ida" (good sign
>> > of a code red attempt on an apache box)
>> >
>> > you'll see that code red has infected as many new machines in
>> > the alst two days as it did on 20 July
>
>> I have had 47 in the last 24 hrs.
>
>Please use follow-u
on Fri, Aug 03, 2001 at 03:16:00PM +1000, Ian Perry ([EMAIL PROTECTED]) wrote:
> > -Original Message-
> > From: John Griffiths [mailto:[EMAIL PROTECTED]
> > Sent: Saturday, August 04, 2001 12:54 AM
> > To: debian-user@lists.debian.org
> > Subject: code red g
At 10:08 PM 8/2/01 -0700, Karsten M. Self wrote:
>on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED])
>wrote:
>> if you grep your http access log for "default.ida" (good sign of a
>> code red attempt on an apache box)
>>
>> you'll see that code red has infected as many ne
On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote:
> on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED])
> wrote:
> > if you grep your http access log for "default.ida" (good sign of a
> > code red attempt on an apache box)
> >
> > you'll see that code red h
I have had 47 in the last 24 hrs.
> -Original Message-
> From: John Griffiths [mailto:[EMAIL PROTECTED]
> Sent: Saturday, August 04, 2001 12:54 AM
> To: debian-user@lists.debian.org
> Subject: code red goes on
>
>
> if you grep your http access log for "defaul
on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED])
wrote:
> if you grep your http access log for "default.ida" (good sign of a
> code red attempt on an apache box)
>
> you'll see that code red has infected as many new machines in the alst
> two days as it did on 20 July
if you grep your http access log for "default.ida" (good sign of a code red
attempt on an apache box)
you'll see that code red has infected as many new machines in the alst two days
as it did on 20 July
27 matches
Mail list logo
