On Mon, 6 Aug 2001, Ian Perry wrote: > > >> -----Original Message----- >> From: Alan Shutko [mailto:[EMAIL PROTECTED] >> Sent: Friday, August 03, 2001 11:18 PM >> To: debian-user@lists.debian.org >> Subject: Re: code red goes on >> >> >> "Karsten M. Self" <kmself@ix.netcom.com> writes: >> >> > Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49, >> > respectively. Looks like this is actually the bigger attack. >> >> http://www.incidents.org says that we've already gotten more infected >> machines than July 20th, although probes seem to have leveled off. >> >> I've heard that this is a slight change on the original code red which >> seeds the RNG used to pick hosts to try, and it's thus hitting lots of >> hosts which weren't in the first round. >> > >There has definately been a change in the original form of the attacks from ># GET /default.ida?NNNNN -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0
normal CodeRed >to ># GET /default.ida?XXXXX -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0 CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a pseudo-r00tkit. If the IIS admins didn't learn the first time, they got screwed hardcore the second. Not even a reacharound this time. >The second packet is also much shorter (with less X's), although the tail is >the same. > >The increase in traffic over the last few days has been marked. > >Sept - 0 hits >1 Aug - 3 hits 0.1 per hr >2 Aug - 22 hits 0.9/hr >3 Aug - 33 Hits 1.4/hr >4 Aug - 41 Hits 1.7/hr >5 Aug - 167 Hits 6.9/hr >6 Aug - 79 Hits 10.0/hr (only 8 hrs of data) > >I can see this is going to be a real problem in the upcoming weeks. > >I have noticed on the end of each access in the log, Apache gives "404 205" >404 I guess means page not found, but on two occassions it looks like >it gave a "200 - ". Strange. I thought a valid access was 200. > >Ian > > > > > > > -- Sacred cows make the best burgers Who is John Galt? [EMAIL PROTECTED], that's who!!!